From 0a37c87091b22c97a08f89148edc60528d081840 Mon Sep 17 00:00:00 2001
From: Jonathan Edey <jedey@google.com>
Date: Fri, 19 Jan 2024 14:06:28 -0500
Subject: [PATCH 1/2] fix: Escape release tag body and change PyPi to use
 trusted publisher for authentication.

---
 .github/scripts/publish_preflight_check.sh |  2 +-
 .github/workflows/release.yml              | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/scripts/publish_preflight_check.sh b/.github/scripts/publish_preflight_check.sh
index c787c8548..c5e231690 100755
--- a/.github/scripts/publish_preflight_check.sh
+++ b/.github/scripts/publish_preflight_check.sh
@@ -173,7 +173,7 @@ echo "$CHANGELOG"
 # and https://github.com/github/docs/issues/21529#issue-1418590935
 FILTERED_CHANGELOG=`echo "$CHANGELOG" | grep -v "\\[INFO\\]"`
 echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT
-echo "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
+echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
 echo "CHANGELOGEOF" >> $GITHUB_OUTPUT
 
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a6ef19c9e..9f62d5b0a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -92,6 +92,11 @@ jobs:
       startsWith(github.event.pull_request.title, '[chore] Release ')
 
     runs-on: ubuntu-latest
+    permissions:
+      # Used to create a short-lived OICD token which is given to PyPi to identify this workflow job
+      # See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      # and https://docs.pypi.org/trusted-publishers/using-a-publisher/
+      id-token: write
 
     steps:
     - name: Checkout source for publish
@@ -116,10 +121,7 @@ jobs:
             --notes "${{ steps.preflight.outputs.changelog }}"
 
     - name: Publish to Pypi
-      uses: pypa/gh-action-pypi-publish@v1.0.0a0
-      with:
-        user: firebase
-        password: ${{ secrets.PYPI_PASSWORD }}
+      uses: pypa/gh-action-pypi-publish@release/v1
 
     # Post to Twitter if explicitly opted-in by adding the label 'release:tweet'.
     - name: Post to Twitter

From 2d5ba861648b65e1343bedc3c4aba2f4e4d39b9e Mon Sep 17 00:00:00 2001
From: Jonathan Edey <jedey@google.com>
Date: Fri, 19 Jan 2024 14:10:35 -0500
Subject: [PATCH 2/2] fix typo

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f62d5b0a..60cd9f457 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -93,7 +93,7 @@ jobs:
 
     runs-on: ubuntu-latest
     permissions:
-      # Used to create a short-lived OICD token which is given to PyPi to identify this workflow job
+      # Used to create a short-lived OIDC token which is given to PyPi to identify this workflow job
       # See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
       # and https://docs.pypi.org/trusted-publishers/using-a-publisher/
       id-token: write