From ff5420ccbe0863fa44130aca55ab5b4aab03996f Mon Sep 17 00:00:00 2001
From: David Zaslavsky <diazona@ellipsix.net>
Date: Sat, 20 May 2023 21:06:21 -0700
Subject: [PATCH] Convert to trusted publishing

I based this change on the official PyPI documentation:
  https://docs.pypi.org/trusted-publishers/
as well as a blog post walking through an example of how to implement
trusted publishing for a Python project:
  https://pgjones.dev/blog/trusted-plublishing-2023/
The diff is fairly minimal. All it does is remove the password used to
authenticate to PyPI, which we don't need anymore, and add a permission
needed for trusted publishing to operate.

This commit will be accompanied by some configuration in the project
settings on PyPI to allow this specific workflow to act as a trusted
publisher. Effectively, we're telling PyPI that when this particular
workflow (`publish.yml`) contacts it with an OIDC token from Github,
then PyPI should accept that as valid authentication and return an API
token which can be used to actually upload a package.
---
 .github/workflows/release.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a36fb9d..3eda9ac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,6 +31,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     environment: test-pypi
+    permissions:
+      # this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/download-artifact@v3
       with:
@@ -39,7 +42,6 @@ jobs:
     - name: Publish packages to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: '${{ secrets.TEST_PYPI_API_TOKEN }}'
         repository_url: https://test.pypi.org/legacy/
         print_hash: true
   publish-to-pypi:
@@ -47,6 +49,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     environment: pypi
+    permissions:
+      # this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/download-artifact@v3
       with:
@@ -55,5 +60,4 @@ jobs:
     - name: Publish packages to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: '${{ secrets.PYPI_API_TOKEN }}'
         print_hash: true