From 810fdd1ae1278fa4d5cc1a4677a66c68cb6b7518 Mon Sep 17 00:00:00 2001
From: Alex Lubbock <code@alexlubbock.com>
Date: Thu, 2 Apr 2026 23:19:15 +0100
Subject: [PATCH] ci: tighten workflow permissions

---
 .github/workflows/docs.yml           | 5 +++--
 .github/workflows/python-package.yml | 5 +----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 02fca47..7e2b73c 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -7,11 +7,12 @@ on:
       - v*
   workflow_dispatch:
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   deploy:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 4e2a7f0..4e2ee4d 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -51,6 +51,7 @@ jobs:
     needs: build
     permissions:
       contents: read
+      id-token: write  # required for Trusted Publishing (OIDC)
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -63,8 +64,4 @@ jobs:
     - name: Build package
       run: python -m build
     - name: Publish package
-      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}