From a036818a4ef8b05ed54e445d6a0cf873c96ffa37 Mon Sep 17 00:00:00 2001
From: Max Jones <14077947+maxrjones@users.noreply.github.com>
Date: Thu, 19 Mar 2026 15:06:03 -0400
Subject: [PATCH 1/3] Use OIDC for publishing

---
 .github/workflows/releases.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index e3e3c446fa..5a46d65689 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -58,13 +58,15 @@ jobs:
     needs: [build_artifacts]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
+    environment:
+      name: releases
+      url: https://pypi.org/p/zarr
+    permissions:
+      id-token: write
     steps:
       - uses: actions/download-artifact@v7
         with:
           name: releases
           path: dist
-      - uses: pypa/gh-action-pypi-publish@v1.13.0
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
-          # To test: repository_url: https://test.pypi.org/legacy/
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.13.0

From 5abb9099e14c3251e8425abe6190449c58688d8a Mon Sep 17 00:00:00 2001
From: Max Jones <14077947+maxrjones@users.noreply.github.com>
Date: Thu, 19 Mar 2026 15:08:23 -0400
Subject: [PATCH 2/3] Update requires

---
 .github/workflows/releases.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index 5a46d65689..5ed82734ca 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -35,7 +35,7 @@ jobs:
           version: '1.16.5'
       - name: Build wheel and sdist
         run: hatch build
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: releases
           path: dist
@@ -55,7 +55,7 @@ jobs:
           ls dist
 
   upload_pypi:
-    needs: [build_artifacts]
+    needs: [build_artifacts, test_dist_pypi]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
     environment:

From e003f104f3fa4a03ccc996c7a5d0e35ff0f44950 Mon Sep 17 00:00:00 2001
From: Max Jones <14077947+maxrjones@users.noreply.github.com>
Date: Thu, 19 Mar 2026 15:13:55 -0400
Subject: [PATCH 3/3] Attest

---
 .github/workflows/releases.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index 5ed82734ca..bb9256568c 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -10,6 +10,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
   build_artifacts:
@@ -63,10 +67,16 @@ jobs:
       url: https://pypi.org/p/zarr
     permissions:
       id-token: write
+      attestations: write
+      artifact-metadata: write
     steps:
       - uses: actions/download-artifact@v7
         with:
           name: releases
           path: dist
+      - name: Generate artifact attestation
+        uses: actions/attest@v4
+        with:
+          subject-path: dist/*
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@v1.13.0