From e1723d4b87c62ec6816c5081bd35412cb53b2b09 Mon Sep 17 00:00:00 2001
From: KC Berg <kc.berg@stackhawk.com>
Date: Tue, 8 Jul 2025 16:09:55 -0600
Subject: [PATCH] fix(ci): use GITHUB_TOKEN for tag/commit push in publish-pypi
 workflow

---
 .github/workflows/publish-pypi.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index a8c18c7..150b132 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -10,6 +10,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   build-and-publish:
     runs-on: ubuntu-latest
@@ -34,6 +38,10 @@ jobs:
         run: |
           VERSION=$(grep '^version = ' pyproject.toml | head -1 | cut -d '"' -f2)
           echo "version=$VERSION" >> $GITHUB_OUTPUT
+      - name: Set up git for pushing
+        if: github.ref == 'refs/heads/main'
+        run: |
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
       - name: Create and push tag for new version
         if: github.ref == 'refs/heads/main'
         run: |
@@ -52,7 +60,4 @@ jobs:
           python -m build
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        # No password needed! Uses OIDC trusted publisher 
-permissions:
-  contents: read
-  id-token: write
\ No newline at end of file
+        # No password needed! Uses OIDC trusted publisher
\ No newline at end of file