From c0892cd69499270da7defa68714b9a82cde1568d Mon Sep 17 00:00:00 2001
From: Riaz Virani <riaz@roboflow.com>
Date: Wed, 15 Apr 2026 13:55:11 -0400
Subject: [PATCH] Switch PyPI publishing to trusted publishing (OIDC) for
 roboflow and roboflow-slim

Replace twine-based publishing with pypa/gh-action-pypi-publish, which uses
GitHub's OIDC tokens instead of stored username/password secrets. Both the
build and build-slim jobs now declare the pypi environment and id-token: write
permission required for the token exchange.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 42234b56..8c73f451 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     steps:
       - name: 🛎️ Checkout
         uses: actions/checkout@v4
@@ -20,17 +23,17 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install ".[dev]"
-      - name: 🚀 Publish to PyPi
-        env:
-          PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-          PYPI_TEST_PASSWORD: ${{ secrets.PYPI_TEST_PASSWORD }}
-        run: |
-          make publish -e PYPI_USERNAME=$PYPI_USERNAME -e PYPI_PASSWORD=$PYPI_PASSWORD -e PYPI_TEST_PASSWORD=$PYPI_TEST_PASSWORD
+      - name: 📦 Build package
+        run: python setup.py sdist bdist_wheel
+      - name: 🚀 Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
   build-slim:
     needs: build
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     steps:
       - name: 🛎️ Checkout
         uses: actions/checkout@v4
@@ -44,12 +47,12 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install ".[dev]"
-      - name: 🚀 Publish roboflow-slim to PyPi
-        env:
-          PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+      - name: 📦 Build slim package
         run: |
-          make publish-slim -e PYPI_USERNAME=$PYPI_USERNAME -e PYPI_PASSWORD=$PYPI_PASSWORD
+          rm -rf dist/ build/ *.egg-info
+          python setup_slim.py sdist bdist_wheel
+      - name: 🚀 Publish roboflow-slim to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
   deploy-docs:
     needs: build