From 10a23bf2590e1d726164a9df9e5b45d76560e7c9 Mon Sep 17 00:00:00 2001
From: Jake VanderPlas <jakevdp@google.com>
Date: Mon, 16 Sep 2024 07:48:44 -0700
Subject: [PATCH] Change publishing to trusted publisher model

---
 .github/workflows/wheels.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
index fc95de21..85c73462 100644
--- a/.github/workflows/wheels.yml
+++ b/.github/workflows/wheels.yml
@@ -97,6 +97,9 @@ jobs:
     name: Release & Upload to PyPI
     needs: [build_sdist, build_wheels]
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
     # Only publish release to PyPI when a github release is created.
     if: github.event_name == 'release' && github.event.action == 'published'
     steps:
@@ -110,6 +113,5 @@ jobs:
       - name: List files
         run: ls -l dist/
 
-      - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # ratchet:pypa/gh-action-pypi-publish@v1.9
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # ratchet:pypa/gh-action-pypi-publish@v1.9