From db3b228ec0f48caa966b999ee4c024bccebfb575 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:42:25 +0000 Subject: [PATCH 1/6] Tighten publish permissions --- .github/workflows/publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2890aab..d3fc6ed 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,8 @@ on: tags: - "*" +permissions: {} + jobs: build: name: Build packages From 041105610028e7989734f38794a056577a3c4557 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:45:40 +0000 Subject: [PATCH 2/6] Fix GitHub release creation for immutable releases --- .github/workflows/publish.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d3fc6ed..357a4d4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -84,11 +84,6 @@ jobs: gh release create "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" + --generate-notes --title "${GITHUB_REPOSITORY#*/} $GITHUB_REF_NAME" - - name: Upload artifact signatures to GitHub Release - env: - GH_TOKEN: ${{ github.token }} - run: >- - gh release upload - "$GITHUB_REF_NAME" dist/** - --repo "$GITHUB_REPOSITORY" + dist/** From 3b9f79de639bee8875e74e8afea53516557c1b62 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:46:49 +0000 Subject: [PATCH 3/6] Skip signing files for GitHub releases --- .github/workflows/publish.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 357a4d4..43f15a5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,12 +71,6 @@ jobs: with: name: python-package-distributions path: dist/ - - name: Sign packages - uses: sigstore/gh-action-sigstore-python@v3.0.0 - with: - inputs: >- - ./dist/*.tar.gz - ./dist/*.whl - name: Create GitHub Release env: GH_TOKEN: ${{ github.token }} From 0dfb7d2700866d99af9322d9eb4ddb0657978573 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 20:13:10 +0000 Subject: [PATCH 4/6] Upgrade Actions --- .github/workflows/publish.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 43f15a5..b930f1c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: persist-credentials: false - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.13" - name: Build packages @@ -27,7 +27,7 @@ jobs: pip install -r requirements/testing.txt make package - name: Upload packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: python-package-distributions path: dist/ @@ -46,7 +46,7 @@ jobs: steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: python-package-distributions path: dist/ @@ -67,7 +67,7 @@ jobs: steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: python-package-distributions path: dist/ From ba9cabb2c48da2d6f86af07094b857ccc55cf656 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 20:14:04 +0000 Subject: [PATCH 5/6] Drop id-token for GitHub releases --- .github/workflows/publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b930f1c..d33d9e6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -63,7 +63,6 @@ jobs: url: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }} permissions: contents: write - id-token: write steps: - name: Download packages From 67d2f46d9d86963c65914881da780131e9b829a7 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 20:43:58 +0000 Subject: [PATCH 6/6] Add read permission for package building --- .github/workflows/publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d33d9e6..74e0e26 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,6 +12,8 @@ jobs: name: Build packages runs-on: ubuntu-24.04 environment: publish + permissions: + contents: read steps: - name: Checkout