From 196dba67203bab630a001b7831d738cbacbd2cbe Mon Sep 17 00:00:00 2001
From: Marc Foley <m.foley.88@gmail.com>
Date: Fri, 5 Jan 2024 14:58:06 +0000
Subject: [PATCH] publish-release: use trusted publishers approach

---
 .github/workflows/publish-release.yml | 45 +++++++++++++++++++++------
 1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index a07aecc5..52507e12 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -7,9 +7,8 @@ name: Create and Publish Release
 
 jobs:
   build:
-    name: Create and Publish Release
+    name: Build distribution
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v2
         with:
@@ -23,7 +22,8 @@ jobs:
       - name: Install release dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install --upgrade setuptools wheel twine
+          pip install --upgrade setuptools wheel build
+
       - name: Get release notes
         id: release_notes
         run: |
@@ -34,6 +34,7 @@ jobs:
           git fetch --tags --force
           TAG_NAME=${GITHUB_REF/refs\/tags\//}
           echo "$(git tag -l --format='%(contents)' $TAG_NAME)" > "${{ runner.temp }}/CHANGELOG.md"
+
       - name: Create GitHub release
         id: create_release
         uses: actions/create-release@v1
@@ -46,10 +47,34 @@ jobs:
           draft: false
           prerelease: false
 
-      - name: Build and publish to PyPI
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-        run: |
-          python setup.py sdist bdist_wheel
-          twine upload dist/gflanguages*
\ No newline at end of file
+      - name: Build a binary wheel and a source tarball
+        run: python3 -m build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-pypi:
+    name: >-
+      Publish Python 🐍 distribution 📦 to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gflanguages
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.8.11
+        with:
+          # repository-url: https://test.pypi.org/legacy/ # for testing purposes
+          verify-metadata: false # twine previously didn't verify metadata when uploading
\ No newline at end of file