From f209c3e4bb7254c0e3ef94a22eb93733e0227ec8 Mon Sep 17 00:00:00 2001
From: "Stefan K. Seritan" <sserita@sandia.gov>
Date: Tue, 16 Apr 2024 17:47:04 -0700
Subject: [PATCH] Update autodeploy to use OIDC

This replaces the need for API tokens in PyPI,
which is both the more modern approach
and less tied to individual accounts.
---
 .github/workflows/autodeploy.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/autodeploy.yml b/.github/workflows/autodeploy.yml
index 10c4b691b..6747aa760 100644
--- a/.github/workflows/autodeploy.yml
+++ b/.github/workflows/autodeploy.yml
@@ -70,6 +70,9 @@ jobs:
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -79,7 +82,5 @@ jobs:
 
       - name: Publish package on PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          verbose: true
+        # With the use of OIDC, API tokens are no longer needed
+        # See https://docs.pypi.org/trusted-publishers/using-a-publisher/ for more info
\ No newline at end of file