ci(publish): pin pypa/gh-action-pypi-publish to v1.0.6 to avoid tag r… (#36)

Author: shbatm

.github/workflows/pythonpublish.yml

@@ -2,6 +2,10 @@
 # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 name: Upload Python Package
 
+permissions:
+  id-token: write
+  contents: read
+
 "on":
   release:
     types:
@@ -10,6 +14,9 @@ name: Upload Python Package
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -25,9 +32,11 @@ jobs:
           python -m pip install --upgrade build
           python -m build
       - name: Publish package to PyPI
-        # Pin to a specific released version to avoid resolving issues with
-        # floating tags. Using v1.0.6 which is a stable release at time of
-        # update; adjust if newer stable tag is preferred.
-        uses: pypa/gh-action-pypi-publish@v1.0.6
-        with:
-          password: ${{ secrets.PYPI_TOKEN }}
+        # Use the action's release branch to follow the stable v1 releases.
+        # The action recommends `release/v1` or a specific tag; `release/v1`
+        # will resolve to the latest v1.x release.
+        # With `permissions.id-token: write` and a configured trusted repository
+        # on PyPI, the action will use OIDC token-based authentication and
+        # no repository secret is required. If you prefer an API token, add
+        # `password: ${{ secrets.PYPI_TOKEN }}` under `with` instead.
+        uses: pypa/gh-action-pypi-publish@release/v1