From 5f875d32eccc13cbc3cf1ffa0735cd07a839f7e8 Mon Sep 17 00:00:00 2001
From: Ryan May <rmay@ucar.edu>
Date: Mon, 24 Apr 2023 14:09:58 -0600
Subject: [PATCH] CI: Switch to PyPI trusted publisher

This replaces using a fixed secret API token that is attached to a
single user.
---
 .github/workflows/release.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fe5675f..4a0a777 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,8 @@ jobs:
     environment:
       name: PyPI
       url: https://pypi.org/project/python-awips/
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     runs-on: ubuntu-latest
     steps:
     - name: Download packages
@@ -47,7 +49,4 @@ jobs:
         name: artifact
 
     - name: Publish Package
-      uses: pypa/gh-action-pypi-publish@v1.4.2
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
+      uses: pypa/gh-action-pypi-publish@v1.12.4