From ef68af33132872c041b7aa0b90e41da2093f2e09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Ricks?= <bjoern.ricks@greenbone.net>
Date: Thu, 18 Jan 2024 13:15:06 +0100
Subject: [PATCH] Change: Use trusted publisher process to deploy on PyPI

[Trusted publisher](https://docs.pypi.org/trusted-publishers/) uses
OpenID Connect (OIDC) to issue short term tokens for GitHub. [Github
implements the OIDC standard](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
since some month.
---
 .github/workflows/deploy-pypi.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy-pypi.yml b/.github/workflows/deploy-pypi.yml
index 24befc9e5..4279af06e 100644
--- a/.github/workflows/deploy-pypi.yml
+++ b/.github/workflows/deploy-pypi.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -14,9 +17,8 @@ jobs:
         with:
           python-version: "3.10"
           install-dependencies: "false"
-      - name: Build and publish
+      - name: Build
         run: |
           poetry build
-          poetry publish
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1