From 4c8fee2bdf00df9b37e2a89a706d53dd90e0cecc Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:01:12 -0600 Subject: [PATCH 1/3] ci(release): Migrate to PyPI Trusted Publisher why: Improve security by eliminating stored API tokens and enable package attestations what: - Add OIDC permissions (id-token, attestations) to release job - Remove user/password authentication in favor of trusted publishing - Enable attestations for supply chain security - Fix deprecated skip_existing to skip-existing --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d2a41f603..d8c5b6b56 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -91,6 +91,9 @@ jobs: runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + id-token: write # Required for OIDC trusted publishing + attestations: write # Required for generating attestations strategy: matrix: @@ -118,6 +121,5 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} - skip_existing: true + attestations: true + skip-existing: true From e7ab9c57d4f1b67749592e3ef454864314edb2c4 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:01:42 -0600 Subject: [PATCH 2/3] docs(CHANGES): Document Trusted Publisher migration (#615) --- CHANGES | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a497274c4..de6181c8f 100644 --- a/CHANGES +++ b/CHANGES @@ -32,7 +32,12 @@ $ uvx --from 'libtmux' --prerelease allow python -_Upcoming changes will be written here._ +### CI + +#### Migrate to PyPI Trusted Publisher (#615) + +PyPI publishing now uses OIDC-based Trusted Publisher instead of API tokens. +This improves security and enables package attestations for supply chain verification. ## libtmux 0.52.0 (2025-12-07) From 3826ef9f0b430d4226ecc932bab41373cc1e84a7 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:41:05 -0600 Subject: [PATCH 3/3] Tag v0.52.1 (PyPI Trusted Publisher) --- CHANGES | 2 ++ pyproject.toml | 2 +- src/libtmux/__about__.py | 2 +- uv.lock | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index de6181c8f..c68281c03 100644 --- a/CHANGES +++ b/CHANGES @@ -32,6 +32,8 @@ $ uvx --from 'libtmux' --prerelease allow python +## libtmux 0.52.1 (2025-12-07) + ### CI #### Migrate to PyPI Trusted Publisher (#615) diff --git a/pyproject.toml b/pyproject.toml index 43b86efae..212bdde2f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "libtmux" -version = "0.52.0" +version = "0.52.1" description = "Typed library that provides an ORM wrapper for tmux, a terminal multiplexer." requires-python = ">=3.10,<4.0" authors = [ diff --git a/src/libtmux/__about__.py b/src/libtmux/__about__.py index cbc9bb2a2..044bc799c 100644 --- a/src/libtmux/__about__.py +++ b/src/libtmux/__about__.py @@ -4,7 +4,7 @@ __title__ = "libtmux" __package_name__ = "libtmux" -__version__ = "0.52.0" +__version__ = "0.52.1" __description__ = "Typed scripting library / ORM / API wrapper for tmux" __email__ = "tony@git-pull.com" __author__ = "Tony Narlock" diff --git a/uv.lock b/uv.lock index ca12e606d..a4d33c04b 100644 --- a/uv.lock +++ b/uv.lock @@ -482,7 +482,7 @@ wheels = [ [[package]] name = "libtmux" -version = "0.52.0" +version = "0.52.1" source = { editable = "." } [package.dev-dependencies]