diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fba2923..00e3696 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,10 +19,10 @@ jobs: fail-fast: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} @@ -38,9 +38,9 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ddfa717..00a2652 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,7 @@ jobs: name: analyze runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Detect languages id: detect diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc42a78..fc9acee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,10 +14,10 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" @@ -36,10 +36,10 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" @@ -71,7 +71,7 @@ jobs: python -m twine check dist/* - name: Upload distributions - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-dist path: dist/* @@ -79,20 +79,27 @@ jobs: publish-pypi: needs: build runs-on: ubuntu-latest + # Trusted publishing (OIDC): no long-lived PYPI_API_TOKEN secret. PyPI + # verifies the GitHub OIDC identity for this repo/workflow/environment. + # Operator one-time step: add a PyPI trusted publisher for project + # "instinct-mcp" (owner WRG-11, repo instinct, workflow release.yml, + # environment pypi), then delete the PYPI_API_TOKEN repo secret. + environment: + name: pypi + url: https://pypi.org/project/instinct-mcp/ permissions: - contents: read + id-token: write steps: - name: Download distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: python-dist path: dist - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 @ 2026-02-18 with: packages-dir: dist - password: ${{ secrets.PYPI_API_TOKEN }} skip-existing: true create-release: @@ -103,7 +110,7 @@ jobs: contents: write steps: - name: Download distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: python-dist path: dist