From 235c6df6b181fd6539a513bfa284cb05ca75e288 Mon Sep 17 00:00:00 2001
From: Stephanos Ioannidis <root@stephanos.io>
Date: Thu, 3 Oct 2024 19:57:47 +0900
Subject: [PATCH] ci: Use PyPI trusted publisher

This commit updates the CI release workflow to use the PyPI "trusted
publisher" package publishing mechanism.

Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
---
 .github/workflows/release.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f5088c8..d113862 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,9 +4,6 @@ on:
   release:
     types: [ published ]
 
-permissions:
-  contents: write
-
 jobs:
   ci:
     name: CI
@@ -14,9 +11,14 @@ jobs:
 
   release:
     name: Release
+    environment: release
     needs: [ ci ]
     runs-on: ubuntu-20.04
 
+    permissions:
+      contents: write
+      id-token: write
+
     steps:
     - name: Download build artifacts
       uses: actions/download-artifact@v4
@@ -37,5 +39,4 @@ jobs:
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
         packages-dir: assets/