From b50c009562827507cacc2062bcc8dbc21ca66b92 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Tue, 4 Mar 2025 17:05:20 -1000
Subject: [PATCH] fix: use trusted publishing for uploading wheels

---
 .github/workflows/ci.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 457b4e1d..2fb9b06f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -284,19 +284,19 @@ jobs:
     needs: [build_wheels]
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
 
     steps:
       - uses: actions/download-artifact@v4
         with:
           # unpacks default artifact into dist/
           # if `name: artifact` is omitted, the action will create extra parent dir
-          pattern: wheels-*
           path: dist
+          pattern: wheels-*
           merge-multiple: true
 
-      - uses: pypa/gh-action-pypi-publish@v1.12.4
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+      - uses:
+          pypa/gh-action-pypi-publish@v1.12.4
 
           # To test: repository_url: https://test.pypi.org/legacy/