From 44be60f0672715878b16662edae29bedaa0de25c Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:42:24 +0000 Subject: [PATCH 1/5] Tighten publish permissions --- .github/workflows/publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1a9cdcc..8f3828c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,8 @@ on: tags: - "*" +permissions: {} + jobs: build: name: Build packages From 18c771394dea85552cb85c55cbabdcc919e16585 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:45:40 +0000 Subject: [PATCH 2/5] Fix GitHub release creation for immutable releases --- .github/workflows/publish.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8f3828c..f47b580 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -84,11 +84,6 @@ jobs: gh release create "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" + --generate-notes --title "${GITHUB_REPOSITORY#*/} $GITHUB_REF_NAME" - - name: Upload artifact signatures to GitHub Release - env: - GH_TOKEN: ${{ github.token }} - run: >- - gh release upload - "$GITHUB_REF_NAME" dist/** - --repo "$GITHUB_REPOSITORY" + dist/** From bf18f9da4bfd4ae5a39f81d83497d3117d42f109 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 19:46:48 +0000 Subject: [PATCH 3/5] Skip signing files for GitHub releases --- .github/workflows/publish.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f47b580..8a60f42 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,12 +71,6 @@ jobs: with: name: python-package-distributions path: dist/ - - name: Sign packages - uses: sigstore/gh-action-sigstore-python@v3.0.1 - with: - inputs: >- - ./dist/*.tar.gz - ./dist/*.whl - name: Create GitHub Release env: GH_TOKEN: ${{ github.token }} From 126d5e600762ef7dcb607ce7420161fea487babb Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 20:13:09 +0000 Subject: [PATCH 4/5] Upgrade Actions --- .github/workflows/publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8a60f42..b930f1c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: persist-credentials: false - name: Setup Python @@ -27,7 +27,7 @@ jobs: pip install -r requirements/testing.txt make package - name: Upload packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: python-package-distributions path: dist/ @@ -46,7 +46,7 @@ jobs: steps: - name: Download packages - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v8 with: name: python-package-distributions path: dist/ @@ -67,7 +67,7 @@ jobs: steps: - name: Download packages - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v8 with: name: python-package-distributions path: dist/ From b33c8b806820a3fa2ed917703a746476181df88a Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Fri, 27 Mar 2026 20:14:04 +0000 Subject: [PATCH 5/5] Drop id-token for GitHub releases --- .github/workflows/publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b930f1c..d33d9e6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -63,7 +63,6 @@ jobs: url: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }} permissions: contents: write - id-token: write steps: - name: Download packages