ci: Use PyPI trusted publisher

This commit updates the CI release workflow to use the PyPI "trusted publisher" package publishing mechanism. Signed-off-by: Stephanos Ioannidis <[email protected]>
zephyrproject-rtos · Oct 3, 2024 · 235c6df · 235c6df
1 parent 66ba177
commit 235c6df
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,19 +4,21 @@ on:
   release:
     types: [ published ]
 
-permissions:
-  contents: write
-
 jobs:
   ci:
     name: CI
     uses: ./.github/workflows/ci.yml
 
   release:
     name: Release
+    environment: release
     needs: [ ci ]
     runs-on: ubuntu-20.04
 
+    permissions:
+      contents: write
+      id-token: write
+
     steps:
     - name: Download build artifacts
       uses: actions/download-artifact@v4
@@ -37,5 +39,4 @@ jobs:
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
         packages-dir: assets/