.github: release: use OIDC for pypi pkg publishing

This is safer(TM) to use than long-lived credentials so let's migrate to using it following the instructions from https://github.com/marketplace/actions/pypi-publish#trusted-publishing and https://docs.pypi.org/trusted-publishers/. Signed-off-by: Quentin Schulz <foss+recitale@0leil.net>
QSchulz · Dec 30, 2023 · 3774d16 · 3774d16
1 parent 2ee9fce
commit 3774d16
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,6 +29,8 @@ jobs:
     if: ${{ github.repository == 'recitale/recitale' }}
     runs-on: ubuntu-latest
     name: Publish distribution package
+    permissions:
+      id-token: write
     steps:
       - name: Download dist/
         uses: actions/download-artifact@v3
@@ -37,9 +39,6 @@ jobs:
           path: dist/
       - name: Publish package on Pypi
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   container:
     if: ${{ github.repository == 'recitale/recitale' }}