From c6328d1b54c45b39272bed5eb40bc972fafb4117 Mon Sep 17 00:00:00 2001
From: Kyle Koeller <kjkoeller@bsu.edu>
Date: Sun, 12 Apr 2026 15:32:48 -0400
Subject: [PATCH 1/2] Update pyproject.toml

---
 pyproject.toml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index b5c9fc6..77d2e40 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,3 +4,9 @@ build-backend = "setuptools.build_meta"
 
 [tool.setuptools_scm]
 write_to = "glyphx/_version.py"
+# "no-local-version" strips the +gHASH.dDATE local segment so the version
+# string is always PEP 440 public-version-compliant and accepted by PyPI.
+# Dev builds from untagged commits will look like "2.1.0.dev3" (commit
+# distance only) rather than "2.1.0.dev0+gbfa4f6035.d20260412".
+version_scheme = "release-branch-semver"
+local_scheme   = "no-local-version"

From 49be515967aa731bd626547b2d3ca266a849d034 Mon Sep 17 00:00:00 2001
From: Kyle Koeller <kjkoeller@bsu.edu>
Date: Sun, 12 Apr 2026 15:38:00 -0400
Subject: [PATCH 2/2] Update python-publish.yml

---
 .github/workflows/python-publish.yml | 31 +++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 3a1eb46..1cbdde6 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -4,8 +4,11 @@ on:
   release:
     types: [published]
 
+# Trusted Publishing (OIDC) — no API token or password needed.
+# Configure at https://pypi.org/manage/project/glyphx/settings/publishing/
 permissions:
   contents: read
+  id-token: write   # required for OIDC Trusted Publishing
 
 jobs:
   deploy:
@@ -15,7 +18,7 @@ jobs:
     - name: Check out repository
       uses: actions/checkout@v4
       with:
-        fetch-depth: 0
+        fetch-depth: 0   # full history so setuptools_scm can find tags
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -25,13 +28,31 @@ jobs:
     - name: Install build dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install build setuptools-scm
+        python -m pip install build "setuptools-scm>=8"
+
+    - name: Derive clean version from release tag
+      # GITHUB_REF_NAME is the tag name on a release event, e.g. "v2.1.0".
+      # Stripping the leading "v" gives a valid PEP 440 public version.
+      # Setting SETUPTOOLS_SCM_PRETEND_VERSION prevents any local segment
+      # from being appended even if git describe produces one.
+      run: |
+        TAG="${GITHUB_REF_NAME#v}"
+        TAG="${TAG#V}"
+        echo "SETUPTOOLS_SCM_PRETEND_VERSION=${TAG}" >> "$GITHUB_ENV"
+        echo "Building version: ${TAG}"
 
     - name: Build package
       run: python -m build
 
+    - name: Verify no local version segment in built distributions
+      run: |
+        for f in dist/*.whl dist/*.tar.gz; do
+          if echo "$f" | grep -qP '[+]'; then
+            echo "ERROR: local version segment found in $f" >&2
+            exit 1
+          fi
+        done
+        echo "Version check passed."
+
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}