From 80739aeb842da67e50f185f0966d4bb8f8d1350f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Gl=C3=A4=C3=9Fle?= <t_glaessle@gmx.de>
Date: Sat, 18 Nov 2023 19:22:29 +0100
Subject: [PATCH] Configure PyPI upload to use trusted publishing

---
 .github/workflows/publish.yml | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 166b512..d60efc7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,8 +4,8 @@ on:
   pull_request:
 
 jobs:
-  pypi:
-    name: pypi.org
+  build:
+    name: Build and check package
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -17,14 +17,23 @@ jobs:
       - run: python setup.py sdist bdist_wheel
       - run: twine check dist/*
 
+      - uses: actions/upload-artifact@v3
+        with: {name: dist, path: dist/}
+
+  pypi:
+    name: Upload to pypi.org
+    needs: build
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with: {name: dist}
       - uses: pypa/gh-action-pypi-publish@release/v1
-        if: startsWith(github.ref, 'refs/tags')
-        with:
-          user: coldfix-deploy
-          password: ${{ secrets.PYPI_PASSWORD }}
 
   docker:
-    name: hub.docker.com
+    name: Upload to hub.docker.com
     runs-on: ubuntu-latest
     steps:
       - uses: docker/setup-qemu-action@v3
@@ -70,7 +79,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/v')
 
   snap:
-    name: snapcraft.io
+    name: Upload to snapcraft.io
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4