From 3c8240faf4c1b573d11b1e79ba0f2232de8b69f2 Mon Sep 17 00:00:00 2001
From: Charles Cooper <cooper.charles.m@gmail.com>
Date: Fri, 5 Apr 2024 08:28:33 -0400
Subject: [PATCH] feat[ci]: update pypi release pipeline to use OIDC

OIDC is pypi's current recommended best practice (see below). this
commit modifies the pypi release pipeline to use the Trusted
Publisher mechanism. it has already been configured on the PyPI side.

references:
- https://docs.pypi.org/trusted-publishers/
---
 .../{publish.yml => release-pypi.yml}         | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)
 rename .github/workflows/{publish.yml => release-pypi.yml} (52%)

diff --git a/.github/workflows/publish.yml b/.github/workflows/release-pypi.yml
similarity index 52%
rename from .github/workflows/publish.yml
rename to .github/workflows/release-pypi.yml
index 0d68d1d7ee..c506b458e6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/release-pypi.yml
@@ -1,5 +1,5 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# upload to pypi using the pypa publish action
+# https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
 name: Publish to PyPI
 
@@ -8,13 +8,19 @@ on:
     types: [published]  # releases and pre-releases (release candidates)
 
 jobs:
-
-  deploy:
+  publish-pypi:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
 
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    environment: release
+
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
     - name: Python
       uses: actions/setup-python@v5
       with:
@@ -29,7 +35,4 @@ jobs:
       run: python setup.py sdist bdist_wheel
 
     - name: Publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: twine upload dist/*
+      uses: pypa/gh-action-pypi-publish@release/v1