From 86875e47d01e6fb3853c4a9d4d7bc3321961f661 Mon Sep 17 00:00:00 2001
From: Tony Narlock <tony@git-pull.com>
Date: Sun, 7 Dec 2025 15:10:01 -0600
Subject: [PATCH 1/2] ci(release): Migrate to PyPI Trusted Publisher

why: Improve security by eliminating stored API tokens and enable package attestations
what:
- Add OIDC permissions (id-token, attestations) to release job
- Remove user/password authentication in favor of trusted publishing
- Enable attestations for supply chain security
- Fix deprecated skip_existing to skip-existing
---
 .github/workflows/tests.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 57183ca4..8ed54355 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -53,6 +53,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+      attestations: write
 
     strategy:
       matrix:
@@ -80,6 +83,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true

From d4fc390e002c53df8f740bc0f531522ac822c60b Mon Sep 17 00:00:00 2001
From: Tony Narlock <tony@git-pull.com>
Date: Sun, 7 Dec 2025 15:10:26 -0600
Subject: [PATCH 2/2] docs(CHANGES): Document Trusted Publisher migration
 (#492)

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index b722b0fc..7f12185e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -31,6 +31,10 @@ $ uvx --from 'vcspull' --prerelease allow vcspull
 
 <!-- Maintainers, insert changes / features for the next release here -->
 
+### CI
+
+- Migrate to PyPI Trusted Publisher (#492)
+
 ## vcspull v1.48.1 (2025-12-06)
 
 ### Breaking changes