Use Trusted Publishing for uploads to PyPI

anthrotype · anthrotype · commit 195a0d2dc7d3 · 2025-11-11T23:27:17.000-08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -114,18 +114,15 @@ jobs:
     # ... and all build jobs completed successfully
     needs: [build_wheels, build_aarch64_wheels]
     runs-on: ubuntu-latest
+    permissions:
+      # Required for trusted publishing to PyPI
+      id-token: write
+      # Required for creating GitHub releases
+      contents: write
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: recursive
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: "3.x"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install --upgrade setuptools wheel twine
     - name: Download artifacts from build jobs
       uses: actions/download-artifact@v4
       with:
@@ -160,15 +157,7 @@ jobs:
         body_path: "${{ runner.temp }}/release_notes.md"
         draft: false
         prerelease: ${{ env.IS_PRERELEASE }}
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        if [ "$IS_PRERELEASE" == true ]; then
-          echo "DEBUG: This is a pre-release"
-        else
-          echo "DEBUG: This is a final release"
-        fi
-        python setup.py sdist
-        twine upload dist/*
+    - name: Build source distribution
+      run: pipx run build --sdist
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
