From 9a37b692d372a8d1a61f55f14f0a254ea9413fa3 Mon Sep 17 00:00:00 2001
From: Serge Smertin <259697+nfx@users.noreply.github.com>
Date: Thu, 11 Jul 2024 15:42:25 +0200
Subject: [PATCH] Unify release to PyPI via GitHub OIDC

---
 .../workflows/{pypi-release.yml => release.yml}    | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 rename .github/workflows/{pypi-release.yml => release.yml} (61%)

diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/release.yml
similarity index 61%
rename from .github/workflows/pypi-release.yml
rename to .github/workflows/release.yml
index 30396423e..6d5853e9e 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/release.yml
@@ -1,12 +1,18 @@
-name: publish python package to test-pypi
+name: publish python package to pypi
 on:
   release:
     types: [published]
 
 jobs:
   build-n-publish:
-    name: Build project and publish to TestPyPI
-    runs-on: ubuntu-22.04
+    name: Build project and publish to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # Used to authenticate to PyPI via OIDC and sign the release's artifacts with sigstore-python.
+      id-token: write
+      # Used to attach signing artifacts to the published release.
+      contents: write
     strategy:
       matrix:
         python: [ 3.10.12 ]
@@ -24,6 +30,4 @@ jobs:
       - name: Publish a Python distribution to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.LABS_PYPI_TOKEN }}
           packages_dir: python/dist/