From 041f5bb621ed7ecc43fd4b5c54887484b4071bd7 Mon Sep 17 00:00:00 2001
From: Aditya Singh <adisin650@gmail.com>
Date: Thu, 21 May 2026 17:43:36 -0700
Subject: [PATCH] ci: switch PyPI publish workflow to Trusted Publishing

Replace the rye PYPI_TOKEN env with the pypa/gh-action-pypi-publish
action and id-token: write permissions, so the workflow uploads via
PyPI Trusted Publishing rather than a long-lived token. Other steps
in publish-pypi.yml are unchanged.

After merge, the PyPI project will need a Trusted Publisher binding
pointing at openai/openai-python and the publish-pypi.yml workflow
name. Closes #3273.
---
 .github/workflows/publish-pypi.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index a7c62c4c4d..e400795119 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -9,6 +9,9 @@ jobs:
     name: publish
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -19,8 +22,10 @@ jobs:
           version: '0.44.0'
           enable-cache: true
 
-      - name: Publish to PyPI
+      - name: Build distributions
         run: |
-          bash ./bin/publish-pypi
-        env:
-          PYPI_TOKEN: ${{ secrets.OPENAI_PYPI_TOKEN || secrets.PYPI_TOKEN }}
+          mkdir -p dist
+          rye build --clean
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1