🔧 Update PyPI publishing workflow and documentation

- Switch from trusted publishing to API token authentication
- Update Python version to 3.13 in workflow
- Add PyPI-related words to VS Code spell checker
- Expand documentation with both API token and trusted publishing methods

Author: Nick Sullivan

.github/workflows/pypi-publish.yml

@@ -9,13 +9,6 @@ jobs:
   deploy:
     name: Upload release to PyPI
     runs-on: ubuntu-latest
-    # Set up environment with URL to PyPI project
-    environment:
-      name: pypi
-      url: https://pypi.org/p/heart-centered-prompts
-    # Add id-token write permission for trusted publishing
-    permissions:
-      id-token: write
 
     steps:
       - uses: actions/checkout@v3
@@ -25,7 +18,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.x"
+          python-version: "3.13"
 
       - name: Install dependencies
         run: |
@@ -38,11 +31,9 @@ jobs:
           python -m build
 
       - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.8.10
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: python/dist/
-          # No password needed with trusted publishing
-          # Enable verbose output for debugging
+          password: ${{ secrets.PYPI_API_TOKEN }}
           verbose: true
-          # Print hash values of files being uploaded
           print-hash: true

.vscode/settings.json

@@ -95,5 +95,6 @@
     "titleBar.inactiveBackground": "#ff66b299",
     "titleBar.inactiveForeground": "#15202b99"
   },
-  "peacock.color": "#FF66B2"
+  "peacock.color": "#FF66B2",
+  "cSpell.words": ["PYPI", "setuptools"]
 }

DEVELOPERS.md

@@ -67,21 +67,65 @@ twine upload dist/*
 
 ### 4. Using GitHub Actions for Automatic Publishing
 
-Our repository is configured with GitHub Actions to automatically publish to PyPI when a new `releases/v*` tag is pushed. The workflow:
+Our repository is configured with GitHub Actions to automatically publish to PyPI when a new `releases/v*` tag is pushed.
 
-1. Detects the new tag
-2. Sets up Python
-3. Builds the package
-4. Publishes to PyPI using the stored API token
-
-To make this work:
-
-- Ensure the `PYPI_API_TOKEN` secret is set in your GitHub repository settings
-- Simply create and push a tag following the pattern `releases/v*`
+We use PyPI's recommended "trusted publishing" approach, which allows secure authentication without API tokens. The workflow:
 
-### Setting Up Your PyPI API Token
-
-PyPI no longer accepts username/password authentication. You must use API tokens:
+1. Detects the new tag
+2. Sets up Python and builds the package
+3. Publishes to PyPI using OpenID Connect (OIDC) authentication
+
+#### Setting Up Trusted Publishing
+
+> **Note:** We're currently using the API token method for authentication. The instructions below are for future reference if you want to migrate to trusted publishing.
+
+To set up trusted publishing in the future:
+
+1. Create an environment in your GitHub repository settings:
+
+   - Go to Settings → Environments → New environment
+   - Name it `pypi`
+   - Add environment protection rules if desired
+
+2. Configure trusted publishing on PyPI:
+
+   - Log in to your PyPI account at https://pypi.org/
+   - Navigate to your project
+   - Go to "Settings" → "Publishing"
+   - Set up a new publisher with:
+     - Publisher: GitHub Actions
+     - Owner: TechNickAI
+     - Repository name: heart-centered-prompts
+     - Workflow name: Publish Python Package
+     - Environment name: pypi
+
+3. Modify the GitHub workflow file to use trusted publishing:
+   ```yaml
+   jobs:
+     deploy:
+       name: Upload release to PyPI
+       runs-on: ubuntu-latest
+       environment:
+         name: pypi
+         url: https://pypi.org/p/heart-centered-prompts
+       permissions:
+         id-token: write
+       steps:
+         # ... existing steps ...
+         - name: Publish package to PyPI
+           uses: pypa/gh-action-pypi-publish@v1.8.10
+           with:
+             packages-dir: python/dist/
+             # No password needed with trusted publishing
+             verbose: true
+             print-hash: true
+   ```
+
+No API tokens needed with trusted publishing - the connection between GitHub and PyPI is secured through OpenID Connect!
+
+#### Using API Tokens (Current Method)
+
+We're currently using API tokens for PyPI authentication. Here's how to set them up:
 
 1. Log in to your PyPI account at https://pypi.org/
 2. Go to Account Settings → API tokens