From 469c22e7a4158aa9cf13543c2614ef2561b57e95 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 12:45:34 -0400
Subject: [PATCH 1/9] ci/python-publish: bump, use trusted publishing

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 56 +++++++++++++++++++++++++++----------------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index bdaab28a48..160b12fdcf 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -1,4 +1,4 @@
-# This workflow will upload a Python Package using Twine when a release is created
+# This workflow will upload a Python Package to PyPI when a release is created
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
 
 # This workflow uses actions that are not certified by GitHub.
@@ -12,28 +12,42 @@ on:
   release:
     types: [published]
 
-permissions:
-  contents: read
-
 jobs:
-  deploy:
+  release-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: build release distributions
+        run: |
+          # NOTE: put your own distribution build steps here.
+          python -m pip install build
+          python -m build
+
+      - name: upload distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
     runs-on: ubuntu-latest
+    needs:
+      - release-build
+    permissions:
+      id-token: write
 
     steps:
-    - uses: actions/checkout@v3
-    - name: Set up Python
-      uses: actions/setup-python@v3
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install build
-    - name: Build package
-      run: python -m build
-    - name: Publish package
-      uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      - name: Retrieve release distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+      - name: Publish release distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

From f4c64fb836ab3e5b6e5c99f3fb47241e56178445 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Tue, 19 Mar 2024 15:40:07 -0400
Subject: [PATCH 2/9] Apply suggestions from code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
---
 ci/python-publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 160b12fdcf..ec73a48370 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -23,13 +23,13 @@ jobs:
         with:
           python-version: "3.x"
 
-      - name: build release distributions
+      - name: Build release distributions
         run: |
           # NOTE: put your own distribution build steps here.
           python -m pip install build
           python -m build
 
-      - name: upload distributions
+      - name: Upload distributions
         uses: actions/upload-artifact@v4
         with:
           name: release-dists

From 231e6b5f6f635625f600d423d7fba591d99dfa47 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 16:41:37 -0400
Subject: [PATCH 3/9] python-publish: contents: read at toplevel

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index ec73a48370..51b96ca364 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -12,6 +12,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release-build:
     runs-on: ubuntu-latest

From e23021529279bb3abf1f7253df1e3eb3bbe23a51 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 16:42:35 -0400
Subject: [PATCH 4/9] python-publish: explanatory comment

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 51b96ca364..7675071fe2 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -43,6 +43,7 @@ jobs:
     needs:
       - release-build
     permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
 
     steps:

From 1fa8e1835028aa47cdb324027fc7c3bd8f93f875 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 16:49:45 -0400
Subject: [PATCH 5/9] python-publish: copy gem-push.yml's pattern

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 7675071fe2..bb92010917 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -54,4 +54,6 @@ jobs:
           path: dist/
 
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        # To automatically get updates, change this to:
+        # uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14

From e44c7b519f7b4a81d578eddc0fa12e6463d45271 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Tue, 19 Mar 2024 16:57:58 -0400
Subject: [PATCH 6/9] python-publish: environment

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index bb92010917..bf132201c2 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -46,6 +46,13 @@ jobs:
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
 
+    # Dedicated environments with protections for publishing are strongly recommended.
+    # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
+    environment:
+      name: pypi
+      # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
+      # url: https://pypi.org/p/YOURPROJECT
+
     steps:
       - name: Retrieve release distributions
         uses: actions/download-artifact@v4

From 5ad49471fe52633f0a7355d1a085bdc6e1d66bcf Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Fri, 16 Aug 2024 12:58:55 -0400
Subject: [PATCH 7/9] Update ci/python-publish.yml

Co-authored-by: Gagan Deep <the.one.above.all.titan@gmail.com>
---
 ci/python-publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index bf132201c2..165ac0a4a8 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -63,4 +63,5 @@ jobs:
       - name: Publish release distributions to PyPI
         # To automatically get updates, change this to:
         # uses: pypa/gh-action-pypi-publish@release/v1
-        uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
+        

From 26ad7a75496845c3b4e74d113ff8f6f645fa871b Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Tue, 20 Aug 2024 13:39:26 -0400
Subject: [PATCH 8/9] Update ci/python-publish.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
---
 ci/python-publish.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 165ac0a4a8..72fdda2ff1 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -52,6 +52,10 @@ jobs:
       name: pypi
       # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
       # url: https://pypi.org/p/YOURPROJECT
+      #
+      # ALTERNATIVE: if your GitHub Release name is the PyPI project version string
+      # ALTERNATIVE: exactly, uncomment the following line instead:
+      # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }}
 
     steps:
       - name: Retrieve release distributions

From bc709b6e00fad0ad44efb7d35eaa31778a651c41 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 4 Sep 2024 17:08:14 -0400
Subject: [PATCH 9/9] python-publish: bump commit/ref

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 ci/python-publish.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 72fdda2ff1..710ca3031b 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -67,5 +67,4 @@ jobs:
       - name: Publish release distributions to PyPI
         # To automatically get updates, change this to:
         # uses: pypa/gh-action-pypi-publish@release/v1
-        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
-        
+        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1