Use trusted publishing for package uploads #45

krassowski · 2025-05-02T15:03:53Z

Use trusted publishing for package uploads

Copilot

Pull Request Overview

This PR aims to improve package upload security by using trusted publishing.

Upgrades the Python version from 3.8 to 3.9 in the workflow.
Splits the publishing flow into a "build" job that uploads artifacts and a "pypi-publish" job that downloads the artifacts and publishes the package to PyPI using the trusted publishing action.

.github/workflows/publish.yml

Co-authored-by: Copilot <[email protected]>

Copilot

This PR implements trusted publishing for package uploads by separating the build and publish processes in the GitHub Actions workflow.

Upgraded Python version from 3.8 to 3.9.
Split the workflow into a build job that uploads an artifact and a pypi-publish job that downloads the artifact and publishes to PyPI.

Comments suppressed due to low confidence (1)

.github/workflows/publish.yml:25

[nitpick] The artifact name contains spaces and uses a non-standard format. Consider renaming it to a more conventional format such as "docstring-to-markdown-dist-${{ github.run_number }}" to improve clarity and consistency.

name: docstring-to-markdown dist ${{ github.run_number }}

Use trusted publishing for package uploads

c7930a8

krassowski requested a review from Copilot May 2, 2025 15:05

Copilot AI reviewed May 2, 2025

View reviewed changes

.github/workflows/publish.yml Outdated Show resolved Hide resolved

Fix typo

f1d781b

Co-authored-by: Copilot <[email protected]>

krassowski requested a review from Copilot May 2, 2025 15:06

Copilot AI reviewed May 2, 2025

View reviewed changes

krassowski merged commit 1cdc9e1 into python-lsp:main May 2, 2025
7 checks passed

krassowski deleted the trusted-publisher branch May 2, 2025 15:07