fix: Update PyPI publish workflow to use Trusted Publishing (#666)

* fix: update PyPI publish workflow to use Trusted Publishing

- Replace deprecated repository_url with repository-url
- Remove password authentication for both PyPI and TestPyPI
- Enable attestations for supply chain security
- Use OIDC authentication via Trusted Publishing

* fix: add id-token write permission for OIDC authentication

* fix: disable attestations for PyPI to avoid conflict with TestPyPI attestations

* fix: explicitly disable attestations for PyPI publish

* docs(changelog): add PyPI Trusted Publishing workflow update

* docs(changelog): add PyPI Trusted Publishing update to unreleased section

Author: lmeyerov

.github/workflows/publish-pypi.yml

@@ -14,6 +14,8 @@ jobs:
   build-n-publish:
     name: Build and publish Python 🐍 distributions 📦 to PyPI and TestPyPI
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - uses: actions/checkout@v3
@@ -36,10 +38,10 @@ jobs:
       - name: Publish distribution 📦 to Test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.PYPI_TEST }}
-          repository_url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/
+          attestations: true
 
       - name: Publish distribution 📦 to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.PYGGRAPHISTRY_PYPI }}
+          attestations: false

CHANGELOG.md

@@ -7,6 +7,11 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [0.38.0 - 2025-06-17]
 
+### Changed
+* PyPI publish workflow now uses Trusted Publishing (OIDC) instead of password authentication
+
+## [0.38.0 - 2025-06-17]
+
 ### Feat
 * Kusto/Azure Data Explorer integration. `PyGraphistry.kusto()`, `kusto_query()`, `kusto_query_graph()`
 * Extra kusto install target `pip install graphistry[kusto]` installs azure-kusto-data, azure-identity