From f54c5b57e0ae0c9fd07e182146691b35c2cf1a07 Mon Sep 17 00:00:00 2001
From: yuriyryabikov <22548029+kurok@users.noreply.github.com>
Date: Fri, 12 Jun 2026 23:13:24 +0100
Subject: [PATCH] ci(publish): restore OIDC Trusted Publishing + enable
 attestations

Drop the legacy PYPI_USERNAME/PYPI_PASSWORD auth (from #84): setting an explicit
password disables Trusted Publishing AND silently ignores PEP 740 attestations.
Use OIDC (no long-lived creds) with attestations: true, alongside the existing
build-provenance attestation step. Requires a one-time PyPI Trusted Publisher
for namecheap/fast_mail_parser + publish.yml.

Also set download-artifact digest-mismatch to warn: the upload@v7/download@v8
pairing can report a spurious digest mismatch that fails artifact collection
even though the download succeeds (provenance attestation still covers integrity).

Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
---
 .github/workflows/publish.yml | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6c1ca9a..da7e8fd 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -168,22 +168,27 @@ jobs:
         with:
           path: dist
           merge-multiple: true
+          # download-artifact@v8 verifies each artifact's digest against the value
+          # upload-artifact@v7 recorded; that pairing can report a spurious
+          # mismatch even though the download itself succeeds. Warn instead of
+          # failing the release — integrity is still attested by the provenance
+          # step below.
+          digest-mismatch: warn
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: "dist/*"
-      # Publish using the legacy PYPI_USERNAME / PYPI_PASSWORD secrets (token or
-      # username/password) rather than OIDC Trusted Publishing. NOTE: PyPI no
-      # longer accepts plain username/password — this only succeeds if
-      # PYPI_USERNAME is "__token__" and PYPI_PASSWORD is a valid API token.
-      # Preferred long-term: re-enable OIDC Trusted Publishing (drop these
-      # secrets) by configuring a Trusted Publisher for namecheap/fast_mail_parser
-      # + publish.yml on PyPI.
+      # Publish via PyPI Trusted Publishing (OIDC) — no long-lived credentials.
+      # OIDC also enables PEP 740 attestations (attestations: true); these are
+      # silently IGNORED if an explicit username/password is set, so do NOT add
+      # `user`/`password` here. Requires a one-time PyPI setup: add a Trusted
+      # Publisher for namecheap/fast_mail_parser, workflow "publish.yml" (no
+      # environment), at
+      # https://pypi.org/manage/project/fast-mail-parser/settings/publishing/
       - name: Publish to PyPI
         if: ${{ github.event_name == 'release' && startsWith(github.ref, 'refs/tags/') }}
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           packages-dir: dist
           skip-existing: true
-          user: ${{ secrets.PYPI_USERNAME }}
-          password: ${{ secrets.PYPI_PASSWORD }}
+          attestations: true