From e66961c5e5349910bb4b51520e4c803c7ab61888 Mon Sep 17 00:00:00 2001
From: "Gavin M. Roy" <gavinmroy@gmail.com>
Date: Sun, 15 Feb 2026 13:58:46 -0500
Subject: [PATCH] Switch to trusted publishing for PyPI deploys

- Trigger on release published instead of tag push
- Use OIDC trusted publishing (id-token: write) instead of API token
- Split into build and publish jobs with artifact handoff
- Add pypi environment for trusted publisher configuration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy.yaml | 40 +++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 9228207..0750ac4 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,12 +1,14 @@
-name: Deployment
+name: Publish to PyPI
 on:
-  push:
-    branches-ignore: ["*"]
-    tags: ["*"]
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+
 jobs:
-  deploy:
+  build:
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -15,13 +17,29 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@v5
-        with:
-          python-version: "3.14"
 
-      - name: Build package
+      - name: Set up Python
+        run: uv python install 3.14
+
+      - name: Build
         run: uv build
 
+      - name: Upload dist
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    steps:
+      - name: Download dist
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
       - name: Publish package
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_PASSWORD }}