From 80a9dc5c5d184c4439c180c71b3b37ad9b1460e0 Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway1@tensorial.com>
Date: Fri, 26 Apr 2024 20:52:26 +0200
Subject: [PATCH] Update GHA release workflow to use trusted publishing / OIDC

---
 .github/workflows/release.yaml | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index d614ac8e..103caf43 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,7 +8,7 @@ on:
     branches: [master, main]
 
 jobs:
-  packages:
+  build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
@@ -35,9 +35,24 @@ jobs:
         python -m twine check dist/*
       shell: bash
 
+    - name: Upload dist files for publication
+      uses: actions/upload-artifact@v2
+      with:
+        name: dist-files
+        path: dist
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    # Run this job in an isolated GHA environment containing the OIDC credentials.
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/download-artifact@v2
+      with:
+        name: dist-files
+        path: dist
     - name: Publish a Python distribution to PyPI
       if: ${{ github.event_name == 'release' }}
       uses: pypa/gh-action-pypi-publish@v1.8.14
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}