Use trusted publishing

[madig]

In light of the recent npm supply chain attacks and also https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/, I'm combing through our font stack to see if all them Py projects are using the trusted publisher mechanism as recommended by PyPI. See https://docs.pypi.org/trusted-publishers/ and https://docs.astral.sh/uv/guides/integration/github/#publishing-to-pypi.

Someone needs to do two things for this PR to work:

• Create an environment called "publish-to-pypi" in this GitHub repository under Settings -> Environments. Creating alone is probably enough, no configuration needed I think.
• Follow https://docs.pypi.org/trusted-publishers/adding-a-publisher/ to set up the other side on PyPI.

I'm not sure if one needs to do anything to make twine pick up the new creds, trusted publishing should be supported in v6.1.0.

[khaledhosny]

Does this PR address #254 as well?

I can merge this, but I don’t have access to the PyPI project to finish the required steps there.

[anthrotype]

I don’t have access to the PyPI project to finish the required steps there.

I can do those. Hold on

[anthrotype]

ok, I just did the PyPI setting. Are we sure twine supports trusted publishing? I suppose it must do. Otherwise I'd simply use the official PyPA publish github action like I did in fonttools/openstep-plist@166bab3 (which probably uses twine under the hood?)

[khaledhosny]

Otherwise I'd simply use the official PyPA publish github action like I did in fonttools/openstep-plist@166bab3

I think this is what #254 requests. I don’t mind if we do it in this PR as well.

[anthrotype]

my test pre-release with trusted publishing using pypa GH action worked, see https://pypi.org/project/openstep-plist/0.5.1b2/#files

I suggest we do the same here, build the sdist (e.g. pipx run build --sdist) and then use the official pypa/gh-action-pypi-publish

[anthrotype]

I suggest we do the same here, build the sdist (e.g. pipx run build --sdist) and then use the official pypa/gh-action-pypi-publish

i'll merge and do that myself, thanks

[anthrotype]

I tested publishing but the GH action failed while creating the GH release
https://github.com/harfbuzz/uharfbuzz/actions/runs/18428830016/job/52514840795

I had the same issue when setting up opentstep-plist and had to set contents: write permission, like this:

fonttools/openstep-plist@154f1c1

not sure why exactly, but this fixed it. Something to bear in mind when we convert similar workflows

[anthrotype]

uh-oh..

https://github.com/harfbuzz/uharfbuzz/actions/runs/18430073023/job/52517595620

WARNING  Error during upload. Retry with the --verbose option for more details. 
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/        
         Project size too large. Limit for project 'uharfbuzz' total size is 10 
         GB. See                                                                
         https://docs.pypi.org/project-management/storage-limits#requesting-a-project-size-limit-increase     

[anthrotype]

the latest uharfbuzz release contained 78 files and weighed more than 500 MB... 😮

[anthrotype]

the total uploaded size of uharfbuzz 0.50.0 in april 2025 was around 250MB, already quite big; this jumped to 422MB (sic!) on the following 0.50.2 release which added support for Linux ARM64 (aarch64) wheels. That added 15 new wheels each weighing almost 15MB each...

[anthrotype]

I can politely ask the PyPI team if they raise the project size from the current 10GB, say, to 20GB? But in 20 releases time, if we keep going like this (500MB per release) we will run out again.

[madig]

I think this calls for ABI3 wheels instead of one wheel per Python version. Maybe the performance impact is okay?

[anthrotype]

that'd be nice. I'll check if cython allows that and how complicated it'd be to do that.

[khaledhosny]

We use some PyUnicode APIs that are not part of the stable/restricted API, which would need to replaced by other APIs for this to work.

[EpicWink]

Are we sure twine supports trusted publishing?

twine v6.1 supports it, but they say it's experimental

I can politely ask the PyPI team if they raise the project size from the current 10GB, say, to 20GB

Definitely do this, but ask for more (eg 50GB). This limit is to prevent malicious abuse, and uharfbuzz is popular. There's plans in the works for alternate solutions