From 73e201930c023d3744c0a650b237a32dec4957d4 Mon Sep 17 00:00:00 2001
From: Matthew Grange <mgrange@meta.com>
Date: Fri, 27 Mar 2026 11:13:41 -0700
Subject: [PATCH 1/2] Fix license metadata from MIT to Apache-2.0 (#120)

Summary:

The pyproject.toml incorrectly declared the license as MIT, while the LICENSE file and README both specify Apache License 2.0. This fixes the metadata to match the actual license before first PyPI publish.

Differential Revision: D98512204
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 2e86e7e..65f38aa 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 name = "PrivacyGuard"
 description = "PrivacyGuard platform for Privacy Attacks and Analysis. Perform privacy analyses of ML models using Inference Attacks and Extraction Attacks."
 authors = [{name = "Meta Platforms, Inc."}]
-license = "MIT"
+license = "Apache-2.0"
 license-files = ["LICENSE"]
 readme = "README.md"
 requires-python = ">=3.10"

From 400ebe10f52d3307f5d51f2ad5837da92d9f6120 Mon Sep 17 00:00:00 2001
From: Matthew Grange <mgrange@meta.com>
Date: Fri, 27 Mar 2026 11:13:41 -0700
Subject: [PATCH 2/2] Add GitHub Actions release workflow with Trusted
 Publisher
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Summary:
## Problem
PrivacyGuard has no automated PyPI publishing workflow. Publishing requires manual package builds and API token management.

## Solution
Add a GitHub Actions release workflow using PyPI Trusted Publishers (OIDC-based authentication, no API tokens needed).

### New: `.github/workflows/release.yml`
- Triggers on GitHub Release publish or manual `workflow_dispatch`
- Runs the full test suite before building (reuses `reusable_test.yml`)
- Builds sdist + wheel via `python -m build`
- Publishes to PyPI using `pypa/gh-action-pypi-publish` with OIDC Trusted Publisher auth
- Requires a `pypi` GitHub environment (for optional approval gating)

### Modified: `pyproject.toml`
- Enabled `setuptools_scm` (was commented out) so package version is derived from git tags automatically
- Removed the unused `write_to` option — version is resolved at build time without generating a `version.py`

## Setup required before first use
1. **PyPI**: Register a pending Trusted Publisher at pypi.org -> Account -> Publishing:
   - PyPI project name: `PrivacyGuard`
   - Owner: `facebookresearch`
   - Repository: `PrivacyGuard`
   - Workflow: `release.yml`
   - Environment: `pypi`
2. **GitHub**: Create a `pypi` environment in repo Settings -> Environments (optionally add required reviewers)
3. **To publish**: Create a GitHub Release with a version tag (e.g., `v0.1.0`) — the workflow runs automatically

Differential Revision: D98518834
---
 .github/workflows/release.yml | 55 +++++++++++++++++++++++++++++++++++
 pyproject.toml                |  5 ++--
 2 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..92d238b
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,55 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  tests:
+    name: Run tests before publish
+    uses: ./.github/workflows/reusable_test.yml
+    secrets: inherit
+
+  build:
+    name: Build distribution
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build sdist and wheel
+        run: python -m build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/pyproject.toml b/pyproject.toml
index 65f38aa..2c88410 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -93,9 +93,8 @@ find = {}
 [tool.setuptools.package-data]
 "*" = ["*.js", "*.css", "*.html"]
 
-#[tool.setuptools_scm]
-#write_to = "privacy_guard/version.py"
-#local_scheme = "node-and-date"
+[tool.setuptools_scm]
+local_scheme = "node-and-date"
 
 [tool.usort]
 first_party_detection = false