From ec21b3f0af06fe7d52b44c81b10bfbe8b18576f0 Mon Sep 17 00:00:00 2001 From: ArcSolver Date: Thu, 4 Jun 2026 17:12:39 +0900 Subject: [PATCH] =?UTF-8?q?ci(release):=20PyPI=20Trusted=20Publishing=20?= =?UTF-8?q?=EC=9B=8C=ED=81=AC=ED=94=8C=EB=A1=9C=20(OIDC)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit workflow_dispatch→TestPyPI 리허설, v* 태그→PyPI 릴리스. uv publish --trusted-publishing always (API 토큰 불필요). Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release.yml | 42 +++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..a5c4dff --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,42 @@ +# Publish arcsolve-mcp via PyPI Trusted Publishing (OIDC — no API tokens). +# - workflow_dispatch → TestPyPI (rehearsal) +# - push tag `v*` → PyPI (release) +# +# One-time setup: register a "pending publisher" on PyPI **and** TestPyPI linking +# project = arcsolve-mcp · owner = ArcSolver · repo = ArcSolve-Kit +# workflow = release.yml · environment = (leave blank) +# Docs: https://docs.pypi.org/trusted-publishers/ +# +# Hardening note: for production, pin the actions below to commit digests +# (e.g. actions/checkout@) rather than moving tags. +name: Publish + +on: + workflow_dispatch: + push: + tags: + - "v*" + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + id-token: write # required for OIDC trusted publishing + steps: + - uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v5 + with: + python-version: "3.11" + + - name: Build + run: uv build + + - name: Publish to TestPyPI (rehearsal — manual dispatch) + if: github.event_name == 'workflow_dispatch' + run: uv publish --publish-url https://test.pypi.org/legacy/ --trusted-publishing always + + - name: Publish to PyPI (release — tag push) + if: github.event_name == 'push' + run: uv publish --trusted-publishing always