From 5eff59ab81ddc00524e8a4eac16ad9bcb8242a10 Mon Sep 17 00:00:00 2001
From: Matt Wozniski <godlygeek@gmail.com>
Date: Fri, 15 May 2026 10:12:52 -0700
Subject: [PATCH] ci: Switch to Trusted Publishing

Stop using long-lived secrets for PyPI publishing.

Signed-off-by: Matt Wozniski <godlygeek@gmail.com>
---
 .github/workflows/build.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 8e16be2..0f2db54 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -75,6 +75,8 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      id-token: write # Required to retrieve a Trusted Publishing token
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -82,5 +84,3 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@v1.13.0
-        with:
-          password: ${{ secrets.PYPI_PASSWORD }}