use pypi trusted publishing (#425)

HGWright · web-flow · commit 4987f9e551c5 · 2026-05-01T11:02:24.000+01:00
diff --git a/.github/workflows/ci-wheels.yml b/.github/workflows/ci-wheels.yml
@@ -103,6 +103,9 @@ jobs:
     needs: [build_bdist, build_sdist]
     name: "Publish to Test PyPI"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: test-pypi
     # upload to Test PyPI for every commit on main branch
     if: github.event_name == 'push' && github.event.ref == 'refs/heads/main'
     steps:
@@ -111,10 +114,9 @@ jobs:
         merge-multiple: true
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
+
         repository_url: https://test.pypi.org/legacy/
         skip_existing: true
         print_hash: true
@@ -124,6 +126,9 @@ jobs:
     needs: [build_bdist, build_sdist]
     name: "Publish to PyPI"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: pypi
     # upload to PyPI for every tag starting with 'v'
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
     steps:
@@ -132,8 +137,6 @@ jobs:
         merge-multiple: true
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
         print_hash: true
