feat: use trusted publisher to publish to PyPI

README.md

@@ -66,15 +66,15 @@ A `labels` workflow will also run and synchronise the GitHub labels based on the
 
 The workflows need [a few secrets][gh-secrets] to be setup in your GitHub repository:
 
-- `PYPI_TOKEN` to publish releases to [PyPI][pypi]. This one should be created as `release` environment secret.
 - `GH_PAT` a [personal access token (PAT) with the `repo` scope][create-pat] for opening pull requests and updating the repository topics. This is used by the `hacktoberfest` workflow.
 - `CODECOV_TOKEN` to upload coverage data to [codecov.io][codecov] in the Test workflow (optional for public repos).
 
 If you have the GitHub CLI installed and chose to set up GitHub, they will be created with a dummy value.
 
 ### Automated release
 
-By following the conventional commits specification, we're able to completely automate versioning and releasing to PyPI. This is handled by the `semantic-release.yml` workflow. It is triggered manually by default, but can be configured to run on every push to your main branch.
+By following the conventional commits specification, we're able to completely automate versioning and releasing to PyPI. It runs on every push to your main branch, as part of the `release` job of the `ci.yml` workflow.
+You'll need to create the first version manually in PyPI and then setup [trusted publisher](https://docs.pypi.org/trusted-publishers/using-a-publisher/) for the project.
 
 Here is an overview of its features:
 
@@ -87,7 +87,7 @@ Here is an overview of its features:
 - Push to GitHub.
 - Create a release in GitHub with the changes as release notes.
 - Build the source and binary distribution (wheel).
-- Upload the sources to PyPI and attach them to the Github release.
+- Upload the sources to PyPI and attach them to the Github release, using trusted publisher.
 
 For more details, check out the [conventional commits website][conventional-commits] and [Python semantic release][python-semantic-release] Github action.
 

copier.yml

@@ -93,7 +93,6 @@ _tasks:
   # Setup GitHub
   - "{% if setup_github %}gh repo create {{ github_username }}/{{ project_slug }} -d '{{ project_short_description }}' --public --remote=origin --source=. --push{% endif %}"
   - "{% if setup_github %}gh repo edit --delete-branch-on-merge --enable-projects=false --enable-wiki=false{% endif %}"
-  - "{% if setup_github %}gh secret set PYPI_TOKEN -b 'changeme'{% endif %}"
   - "{% if setup_github %}gh secret set GH_PAT -b 'changeme'{% endif %}"
   # Setup pre-commit
   - "{% if setup_pre_commit %}pre-commit install{% endif %}"

project/.github/workflows/ci.yml

@@ -65,13 +65,18 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
 
   release:
-    runs-on: ubuntu-latest
-    environment: release
     needs:
       - test
       - lint
       - commitlint
 
+    runs-on: ubuntu-latest
+    environment: release
+    concurrency: release
+    permissions:
+      id-token: write
+      contents: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -80,14 +85,14 @@ jobs:
 
       # Do a dry run of PSR
       - name: Test release
-        uses: relekang/[email protected]
+        uses: python-semantic-release/[email protected]
         if: github.ref_name != 'main'
         with:
           root_options: --noop
 
       # On main branch: actual PSR + upload to PyPI & GitHub
       - name: Release
-        uses: relekang/[email protected]
+        uses: python-semantic-release/[email protected]
         id: release
         if: github.ref_name == 'main'
         with:
@@ -96,8 +101,6 @@ jobs:
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         if: steps.release.outputs.released == 'true'
-        with:
-          password: ${{ secrets.PYPI_TOKEN }}
 
       - name: Publish package distributions to GitHub Releases
         uses: python-semantic-release/upload-to-gh-release@main