From 8fcd95c903e6b4df507b2cf3f53982e25a6eb61c Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Fri, 22 Mar 2024 13:17:27 -0500
Subject: [PATCH] ci: Use trusted publishers for publishing to PyPI

* Use the OpenID Connect (OIDC) standard to publish to PyPI using PyPI's
  "Trusted Publisher" implementation to publish without using API tokens
  stored as GitHub Actions secrets.
   - c.f. https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
   - c.f. https://docs.pypi.org/trusted-publishers/
---
 .github/workflows/pypi.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml
index 674a6bb0..bc88f06b 100644
--- a/.github/workflows/pypi.yaml
+++ b/.github/workflows/pypi.yaml
@@ -7,6 +7,10 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    # Mandatory for publishing with a trusted publisher
+    # c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    permissions:
+      id-token: write
 
     steps:
     - uses: actions/checkout@v4
@@ -59,7 +63,6 @@ jobs:
       if: github.repository == 'ssl-hep/ServiceX_frontend'
       uses: pypa/gh-action-pypi-publish@v1.8.14
       with:
-        password: ${{ secrets.pypi_password_servicex }}
         print-hash: true
 
   build-docs: