From d2332737a84b05683b4f6735a0ed7b3a22402e2b Mon Sep 17 00:00:00 2001
From: Rust Saiargaliev <fly.amureki@gmail.com>
Date: Fri, 30 Aug 2024 11:04:43 +0200
Subject: [PATCH] Publish to PyPI via Trusted Publisher (#39)

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
---
 .github/workflows/release.yml | 38 +++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 803231a..f83016a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,19 +3,35 @@ name: Release
 on:
   release:
     types: [published]
+  workflow_dispatch:
+
+permissions:
+  id-token: write
 
 jobs:
+  release-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - run: python -m pip install --upgrade pip build wheel
+      - run: python -m build --sdist --wheel
+      - uses: actions/upload-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
 
-  PyPi:
+  pypi-publish:
     runs-on: ubuntu-latest
+    needs:
+      - release-build
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.x"
-    - run: python -m pip install --upgrade pip build wheel twine
-    - run: python -m build --sdist --wheel
-    - run: python -m twine upload dist/*
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1