Adapt the GHA PyPI publishing workflow for trusted publishing (#409)

All the changes here are in line with those recently made to the PyMC workflow
pymc-devs · Jan 5, 2025 · c9134fe · c9134fe
1 parent bb23d9b
commit c9134fe
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -50,13 +50,16 @@ jobs:
     name: upload release to PyPI
     needs: [build]
     runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
+    if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published'
+    # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
+    # workflow by requiring signoff from a maintainer.
+    environment: release
+    permissions:
+      # write id-token is necessary for trusted publishing (OIDC)
+      id-token: write
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact
           path: dist
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}