From 1f94bb1fde20c3db60370e608c4ce8d25b19b0c9 Mon Sep 17 00:00:00 2001
From: Arthur Zamarin <arthurzam@gentoo.org>
Date: Wed, 17 May 2023 22:10:34 +0300
Subject: ci: use new PyPI OIDC publish

Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
---
 .github/workflows/release.yml | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

(limited to '.github')

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0012066..8b246c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,13 @@ on:
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    environment: release
+
+    permissions:
+      id-token: write # Used to authenticate to PyPI via OIDC
+
+      contents: write # Used to authenticate github release publish
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
@@ -48,20 +55,9 @@ jobs:
         name: results
         path: dist/*
 
-    - name: Install twine and check files
-      run: |
-        pip install twine wheel-inspect
-        twine check dist/*
-        wheel2json dist/*.whl
-
-    - name: Upload to PyPI
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-      # only upload files for tagged releases
+    - name: publish
+      uses: pypa/gh-action-pypi-publish@release/v1
       if: startsWith(github.ref, 'refs/tags/')
-      run: |
-        twine upload dist/*
 
     - name: Create GitHub release
       uses: softprops/action-gh-release@v1
@@ -69,3 +65,4 @@ jobs:
       with:
         files: dist/*.tar.gz
         fail_on_unmatched_files: true
+        draft: true
-- 
cgit v1.2.3-65-gdbad