Update autodeploy to use OIDC

This replaces the need for API tokens in PyPI, which is both the more modern approach and less tied to individual accounts.
sandialabs · Apr 17, 2024 · f209c3e · f209c3e
1 parent ee21585
commit f209c3e
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/.github/workflows/autodeploy.yml b/.github/workflows/autodeploy.yml
@@ -70,6 +70,9 @@ jobs:
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -79,7 +82,5 @@ jobs:
 
       - name: Publish package on PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          verbose: true
+        # With the use of OIDC, API tokens are no longer needed
+        # See https://docs.pypi.org/trusted-publishers/using-a-publisher/ for more info