From 479c6fe5175e8adf1463c8fc4a0719bd566954dc Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 26 Jan 2026 13:50:16 +0000 Subject: [PATCH 1/3] Add permissions to trusted publishing example --- docs/source/trusted_publishing.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/source/trusted_publishing.rst b/docs/source/trusted_publishing.rst index 478e8e2..47ffa0c 100644 --- a/docs/source/trusted_publishing.rst +++ b/docs/source/trusted_publishing.rst @@ -43,9 +43,11 @@ We also add an if statement to the job so that it only runs on tags starting wit upload: if: startsWith(github.ref, 'refs/tags/v') - name: Use built dists and test upload + name: Upload built artifacts to PyPI runs-on: ubuntu-latest needs: [build] + permissions: + id-token: write steps: - name: Download artifacts uses: actions/download-artifact@v5 From f3e2535bb44be9046b6e9fdc710be586a8a7063a Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 26 Jan 2026 13:58:11 +0000 Subject: [PATCH 2/3] Add comment on environment --- docs/source/trusted_publishing.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/source/trusted_publishing.rst b/docs/source/trusted_publishing.rst index 47ffa0c..27e28b6 100644 --- a/docs/source/trusted_publishing.rst +++ b/docs/source/trusted_publishing.rst @@ -61,3 +61,4 @@ We also add an if statement to the job so that it only runs on tags starting wit You will also need to `Add a Trusted Publisher `__ to your PyPI project. +If, as recommended, you are using a deployment environment then don't forget to add that to the job description as well. From e75329a88568ed3f549ef1f1d8554158222d27a3 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 26 Jan 2026 14:02:25 +0000 Subject: [PATCH 3/3] Bump download-artifact --- .github/workflows/test_publish.yml | 2 +- .github/workflows/test_publish_pure_python.yml | 2 +- docs/source/trusted_publishing.rst | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml index b6b2adc..e0a2460 100644 --- a/.github/workflows/test_publish.yml +++ b/.github/workflows/test_publish.yml @@ -57,7 +57,7 @@ jobs: needs: [release] steps: - name: Download artifacts - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: merge-multiple: true pattern: dist-* diff --git a/.github/workflows/test_publish_pure_python.yml b/.github/workflows/test_publish_pure_python.yml index 34326f5..023defd 100644 --- a/.github/workflows/test_publish_pure_python.yml +++ b/.github/workflows/test_publish_pure_python.yml @@ -37,7 +37,7 @@ jobs: needs: [setenv] steps: - name: Download artifacts - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: merge-multiple: true pattern: dist-* diff --git a/docs/source/trusted_publishing.rst b/docs/source/trusted_publishing.rst index 27e28b6..ef11a09 100644 --- a/docs/source/trusted_publishing.rst +++ b/docs/source/trusted_publishing.rst @@ -50,7 +50,7 @@ We also add an if statement to the job so that it only runs on tags starting wit id-token: write steps: - name: Download artifacts - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: merge-multiple: true pattern: dist-*