From 90f6ca6006f2c493679c239977654cb05ac3e4fd Mon Sep 17 00:00:00 2001 From: Robert Greathouse <124636554+robbykap@users.noreply.github.com> Date: Wed, 1 Apr 2026 10:57:37 -0600 Subject: [PATCH 1/3] Migrate PyPI publishing to OIDC trusted publishers Replace pypi_user/pypi_password secrets with OIDC trusted publisher authentication. Add permissions: id-token: write at workflow level as required by the reusable workflow in BYU-CS-Course-Ops/utils. See: BYU-CS-Course-Ops/utils#7 --- .github/workflows/poetry_publish.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/poetry_publish.yaml b/.github/workflows/poetry_publish.yaml index c16fed5..66efde5 100644 --- a/.github/workflows/poetry_publish.yaml +++ b/.github/workflows/poetry_publish.yaml @@ -4,9 +4,9 @@ on: workflow_dispatch: push: branches: [master] - pull_request: - branches: [master] - types: [merged] + +permissions: + id-token: write jobs: byu_pytest_utils_publish: @@ -14,8 +14,5 @@ jobs: with: pypi_package: "byu_pytest_utils" secrets: - pypi_user: ${{ secrets.PYPI_USER }} - pypi_password: ${{ secrets.PYPI_PASSWORD }} discord_webhook_url: ${{ secrets.GHA_DISCORD_WEBHOOK }} discord_role: ${{ secrets.CICD_NOTIFY_DISCORD_ROLE }} - From 59a1ea751bd2c2535256e95e1c23dce27aa12677 Mon Sep 17 00:00:00 2001 From: Robert Greathouse <124636554+robbykap@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:00:33 -0600 Subject: [PATCH 2/3] Disable auto-trigger until OIDC trusted publisher is configured The push trigger is temporarily removed to prevent failed workflow runs on merge. Re-enable it after: 1. BYU-CS-Course-Ops/utils#7 is merged 2. A trusted publisher is configured on pypi.org for this repo --- .github/workflows/poetry_publish.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/poetry_publish.yaml b/.github/workflows/poetry_publish.yaml index 66efde5..28178cf 100644 --- a/.github/workflows/poetry_publish.yaml +++ b/.github/workflows/poetry_publish.yaml @@ -2,8 +2,9 @@ name: byu_pytest_utils Publish on: workflow_dispatch: - push: - branches: [master] + # TODO: Re-enable after OIDC trusted publisher is configured on pypi.org + # push: + # branches: [master] permissions: id-token: write From 375ba4230db2e63a893a389511c67271712ab21a Mon Sep 17 00:00:00 2001 From: Robert Greathouse <124636554+robbykap@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:04:46 -0600 Subject: [PATCH 3/3] [skip ci] Revert to push trigger for poetry_publish.yaml --- .github/workflows/poetry_publish.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/poetry_publish.yaml b/.github/workflows/poetry_publish.yaml index 28178cf..66efde5 100644 --- a/.github/workflows/poetry_publish.yaml +++ b/.github/workflows/poetry_publish.yaml @@ -2,9 +2,8 @@ name: byu_pytest_utils Publish on: workflow_dispatch: - # TODO: Re-enable after OIDC trusted publisher is configured on pypi.org - # push: - # branches: [master] + push: + branches: [master] permissions: id-token: write