From 45154d4464e59bc7c5b1818f6be624331421febc Mon Sep 17 00:00:00 2001
From: Andreas Maier <maiera@de.ibm.com>
Date: Wed, 9 Oct 2024 11:29:40 +0200
Subject: [PATCH] Dev: Started using the trusted publisher concept of Pypi

Signed-off-by: Andreas Maier <maiera@de.ibm.com>
---
 .github/workflows/publish.yml | 6 +++++-
 changes/noissue.2.cleanup.rst | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changes/noissue.2.cleanup.rst

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a4dd4800..f13b58d2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,6 +16,9 @@ jobs:
     name: Build and publish to PyPI
     if: startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
 
     #-------- Info gathering and checks
@@ -144,7 +147,8 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
         packages-dir: dist
-        password: ${{ secrets.PYPI_API_TOKEN }}
+        # Pypi has a trusted publisher defined, so we do not need a password:
+        # https://pypi.org/manage/project/zhmcclient/settings/publishing/
 
     #-------- Creation of Github release
     - name: Determine whether release on Github exists for the pushed tag
diff --git a/changes/noissue.2.cleanup.rst b/changes/noissue.2.cleanup.rst
new file mode 100644
index 00000000..24da6021
--- /dev/null
+++ b/changes/noissue.2.cleanup.rst
@@ -0,0 +1,2 @@
+Dev: Started using the trusted publisher concept of Pypi in order to avoid
+dealing with Pypi access tokens.