From 6f83c6b68bed6ad7a2915d3f8b42fe57617886a5 Mon Sep 17 00:00:00 2001
From: Joris Roovers <joris.roovers@gmail.com>
Date: Tue, 11 Apr 2023 09:36:49 +0000
Subject: [PATCH] GHA: Use PyPI OIDC for publishing

Replace token based authentication with OIDC for PyPI package
publishing.

Relates to #467
---
 .github/workflows/publish-release.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index e8c63985..4481e364 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -49,6 +49,9 @@ jobs:
   publish:
     timeout-minutes: 15
     runs-on: "ubuntu-latest"
+    permissions:
+      # Required for trusted publishing to PyPI
+      id-token: write
     outputs:
       gitlint_version: ${{ steps.set_version.outputs.gitlint_version }}
     steps:
@@ -107,27 +110,22 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: gitlint-core/dist/
-          password: ${{ secrets.PYPI_GITLINT_CORE_PASSWORD }}
         if: inputs.pypi_target == 'pypi.org'
 
       - name: Publish gitlint 🐍📦 to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_GITLINT_PASSWORD }}
         if: inputs.pypi_target == 'pypi.org'
 
       - name: Publish gitlint-core 🐍📦 to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: gitlint-core/dist/
-          password: ${{ secrets.TEST_PYPI_GITLINT_CORE_PASSWORD }}
           repository-url: https://test.pypi.org/legacy/
         if: inputs.pypi_target == 'test.pypi.org'
 
       - name: Publish gitlint 🐍📦 to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.TEST_PYPI_GITLINT_PASSWORD }}
           repository-url: https://test.pypi.org/legacy/
         if: inputs.pypi_target == 'test.pypi.org'