From 962c05807bdf4676bc45ec2f9944318246c0993d Mon Sep 17 00:00:00 2001
From: "Edgar R. M" <edgar@meltano.com>
Date: Mon, 24 Apr 2023 11:34:48 -0600
Subject: [PATCH] chore: Use PyPI trusted publisher (#1635)

---
 .github/workflows/release.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1a5984501..ef0fd7a7f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,10 +4,15 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write  # Needed to upload artifacts to the release
+  id-token: write  # Needed for OIDC PyPI publishing
+
 jobs:
   release:
     name: Publish to PyPI
     runs-on: ubuntu-latest
+    environment: publishing
 
     steps:
     - name: Checkout code
@@ -19,13 +24,17 @@ jobs:
         python-version: "3.10"
 
     - name: Upgrade pip
+      env:
+        PIP_CONSTRAINT: .github/workflows/constraints.txt
       run: |
-        pip install --constraint=.github/workflows/constraints.txt pip
+        pip install pip
         pip --version
 
     - name: Install Poetry
+      env:
+        PIP_CONSTRAINT: .github/workflows/constraints.txt
       run: |
-        pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry
+        pipx install poetry
         poetry --version
 
     - name: Check version
@@ -48,6 +57,3 @@ jobs:
 
     - name: Publish
       uses: pypa/gh-action-pypi-publish@v1.8.5
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_SECRET_TOKEN }}