From 81e8be87fde6a389e4d932812f6a0b2ee1259142 Mon Sep 17 00:00:00 2001
From: Hynek Schlawack <hs@ox.cx>
Date: Sun, 15 Dec 2024 14:03:00 +0100
Subject: [PATCH] docs: polish

---
 README.md | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 169eb7f..3d20a70 100644
--- a/README.md
+++ b/README.md
@@ -63,8 +63,8 @@ If you package an **application** as a Python package, this action is useful to
 
 ```yaml
 jobs:
-  check-package:
-    name: Build & inspect our package.
+  build-and-inspect-package:
+    name: Build & inspect package.
     runs-on: ubuntu-latest
 
     steps:
@@ -76,8 +76,8 @@ To also upload to PyPI:
 
 ```yaml
 jobs:
-  build-package:
-    name: Build and inspect package.
+  build-and-inspect-package:
+    name: Build & inspect package.
     runs-on: ubuntu-latest
 
     steps:
@@ -86,8 +86,8 @@ jobs:
 
 
   upload-to-pypi:
-    name: Upload prebuilt package to PyPI
-    needs: build-package
+    name: Upload package to PyPI
+    needs: build-and-inspect-package
     runs-on: ubuntu-latest
     permissions:
       # IMPORTANT: this permission is mandatory for trusted publishing, but
@@ -103,6 +103,11 @@ jobs:
       - uses: pypa/gh-action-pypi-publish@release/v1
 ```
 
+> [!IMPORTANT]
+> For security reasons, keep the job that has the `id-token: write` permission as short as possible.
+
+---
+
 If you’re using a VCS tag-based version extractor like [*setuptools-scm*] and need the built package to have the correct version, you must use *actions/checkout* with `fetch-depth: 0` – unless the latest commit _is_ the version tag.
 
 > [!CAUTION]