build: switch to trusted publishing (#3059)

* switch to trusted publishing

* mention trusted publisher management in release instructions

Clarified instructions for community contributors regarding version releases.

Author: julian-risch

.github/workflows/CI_pypi_release.yml

@@ -21,6 +21,8 @@ on:
 jobs:
   release-on-pypi:
     runs-on: ubuntu-slim
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -54,11 +56,9 @@ jobs:
         run: hatch build
 
       - name: Publish on PyPi
-        working-directory: ${{ steps.pathfinder.outputs.project_path }}
-        env:
-          HATCH_INDEX_USER: __token__
-          HATCH_INDEX_AUTH: ${{ secrets.PYPI_API_TOKEN }}
-        run: hatch publish -y
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          packages-dir: ${{ steps.pathfinder.outputs.project_path }}/dist
 
       - name: Generate changelog
         uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4.7.1

README.md

@@ -85,7 +85,7 @@ Please check out our [Contribution Guidelines](CONTRIBUTING.md) for all the deta
 > [!NOTE]
 > Only maintainers can release new versions of integrations.
 > If you're a community contributor and want to release a new version of an integration,
-> reach out to a maintainer.
+> reach out to a maintainer. They will set up trusted publisher management for PyPI.
 
 To release a new version of an integration to PyPI tag the commit with the right version number and push the tag to
 GitHub. The GitHub Actions workflow will take care of the rest.