From a1a49954d3499b6fe09836e35e22af8fbc291093 Mon Sep 17 00:00:00 2001
From: Dustin Spicuzza <dustin@virtualroadside.com>
Date: Mon, 23 Oct 2023 04:00:32 -0400
Subject: [PATCH 1/3] Give more information to users

Reusable workflows don't work, and it's challenging to know that. Help the user out.
---
 README.md        | 3 +++
 oidc-exchange.py | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/README.md b/README.md
index eb88d93..a0d208e 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,9 @@ tag, or opt-in to [use a full Git commit SHA] and Dependabot.
 
 ### Trusted publishing
 
+> [!NOTE] Trusted publishing does not support reusable workflows at this time,
+> please use a username/token instead.
+
 > [!NOTE]
 > Trusted publishing is sometimes referred to by its
 > underlying technology -- OpenID Connect, or OIDC for short.
diff --git a/oidc-exchange.py b/oidc-exchange.py
index fb1df00..0ac8f8b 100644
--- a/oidc-exchange.py
+++ b/oidc-exchange.py
@@ -71,6 +71,9 @@ If a claim is not present in the claim set, then it is rendered as `MISSING`.
 * `repository_owner_id`: `{repository_owner_id}`
 * `job_workflow_ref`: `{job_workflow_ref}`
 * `ref`: `{ref}`
+
+See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help
+
 """
 
 # Rendered if the package index's token response isn't valid JSON.

From dea1d707f373fbb43646ad35354bf3ea46084872 Mon Sep 17 00:00:00 2001
From: Dustin Spicuzza <dustin@virtualroadside.com>
Date: Tue, 28 Nov 2023 22:32:31 -0500
Subject: [PATCH 2/3] Update oidc-exchange.py

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
---
 oidc-exchange.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oidc-exchange.py b/oidc-exchange.py
index 0ac8f8b..d9b96c5 100644
--- a/oidc-exchange.py
+++ b/oidc-exchange.py
@@ -72,7 +72,7 @@ If a claim is not present in the claim set, then it is rendered as `MISSING`.
 * `job_workflow_ref`: `{job_workflow_ref}`
 * `ref`: `{ref}`
 
-See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help
+See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help.
 
 """
 

From 415d7a6bec18b0647cff3533bdb72780ac376d5a Mon Sep 17 00:00:00 2001
From: Dustin Spicuzza <dustin@virtualroadside.com>
Date: Tue, 28 Nov 2023 22:44:26 -0500
Subject: [PATCH 3/3] Update README.md

Add suggested changes.
---
 README.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a0d208e..da9b9e2 100644
--- a/README.md
+++ b/README.md
@@ -25,8 +25,11 @@ tag, or opt-in to [use a full Git commit SHA] and Dependabot.
 
 ### Trusted publishing
 
-> [!NOTE] Trusted publishing does not support reusable workflows at this time,
-> please use a username/token instead.
+> [!NOTE] Trusted publishing cannot be used from within a reusable workflow at this
+> time. It is recommended to instead create a non-reusable workflow that contains a
+> job calling your reusable workflow, and then do the trusted publishing step from
+> a separate job within that non-reusable workflow. Alternatively, you can still
+> use a username/token inside the reusable workflow.
 
 > [!NOTE]
 > Trusted publishing is sometimes referred to by its