ci: use PyPI Trusted Publishing (OIDC) for releases

[madhavcodez]

Summary

Switches PyPI publishing from a long-lived PYPI_API_TOKEN secret to Trusted Publishing (OpenID Connect), as requested in #4008.

Trusted Publishing removes the static API token from CI entirely — there is no credential to leak or exfiltrate — and lets PyPI cryptographically verify that a release was built by this repository's workflow. It also unlocks PEP 740 attestations so users can confirm a published artifact matches what GitHub CI produced.

Changes (.github/workflows/pypi-publish.yaml)

• Add job-level permissions: id-token: write (mandatory for OIDC) alongside contents: read (still required because the job runs actions/checkout).
• Run the publish job in a dedicated pypi deployment environment (recommended by the PyPA docs for an extra protection boundary).
• Remove the with: user/password block — with OIDC the action authenticates automatically, so no credentials are passed.
• Pin pypa/gh-action-pypi-publish to a commit SHA (cef2210 = v1.14.0).

The publish action is SHA-pinned (rather than tag-pinned like the other actions in this repo) specifically because a malicious tag move on the release action is a supply-chain risk — which is the exact threat this issue is about. Happy to align the other actions to SHA pins in a follow-up if you'd prefer consistency, or to revert this one to @release/v1 if you'd rather keep the repo uniform.

⚠️ Setup required before this is active

This PR is the CI half of the migration. Two one-time maintainer steps are needed for it to publish successfully (a release run before these are done will fail at the publish step):

1. Register the Trusted Publisher on PyPI at https://pypi.org/manage/project/redis/settings/publishing/, with exactly:
   • PyPI project: redis
   • Owner: redis
   • Repository: redis-py
   • Workflow filename: pypi-publish.yaml
   • Environment name: pypi
2. Create the pypi GitHub Environment (Settings → Environments → New environment → pypi). Optional: add required reviewers for release gating.

After the first successful OIDC publish, the old PYPI_API_TOKEN secret can be deleted from repo secrets and revoked on PyPI.

Closes #4008

---

Note

Medium Risk
Release publishing depends on correct PyPI/GitHub OIDC and environment setup; misconfiguration blocks releases until fixed, but runtime library behavior is unchanged.

Overview
The PyPI publish workflow now uses Trusted Publishing (OIDC) instead of a static PYPI_API_TOKEN.

The build_and_package job gets id-token: write plus contents: read, runs in a pypi GitHub Environment (with PyPI project URL), and the publish step no longer passes user/password. pypa/gh-action-pypi-publish is pinned to commit cef2210 (v1.14.0) instead of @release/v1.

Maintainer setup (PyPI trusted publisher + pypi environment) is required before releases succeed; the old API token can be removed after the first OIDC publish.

^{Reviewed by Cursor Bugbot for commit 5e96e0f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jit-ci]

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

[petyaslavova]

Hi @madhavcodez, thank you for your contribution! When we are ready with the additional steps, this PR will be merged.