From 4818151b973332aa967c88d9a0d8383a3bfebdfb Mon Sep 17 00:00:00 2001
From: Victor M <vmugicag@redhat.com>
Date: Tue, 4 Jun 2024 09:24:45 +0200
Subject: [PATCH] Refactor release to support trusted publishers (#373)

---
 .github/workflows/release.yml | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1cc922ed..d5d1f163 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,30 +12,33 @@ jobs:
     name: Build and publish to PyPI
     if: startsWith(github.event.ref, 'refs/tags')
     runs-on: ubuntu-20.04
+    environment:
+      name: release
+      url: https://pypi.org/p/crc-bonfire
+    permissions:
+      # mandatory for trusted publishing
+      id-token: write
+
     steps:
       - name: Checkout to master
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.10'
           architecture: 'x64'
 
       - name: Install build dependencies
         run: |
-          python -m pip install -U pip
-          pip install -U wheel setuptools build twine
+          pip install build twine
 
       - name: Build sdist and wheel
         run: |
           python -m build -o dist/
-      
+
       - name: Twine check
         run: python -m twine check dist/*
 
       - name: Deploy to PyPi
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_token }}
+        uses: pypa/gh-action-pypi-publish@release/v1