From 77a6d688bd05b27170e9b5f6cb82dce3d15f1f78 Mon Sep 17 00:00:00 2001
From: David Hewitt <mail@davidhewitt.dev>
Date: Wed, 25 Mar 2026 21:55:28 +0000
Subject: [PATCH] ci: configure trusted publishing

---
 .github/workflows/python-publish.yml | 36 ----------------------------
 .github/workflows/release.yml        | 27 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 36 deletions(-)
 delete mode 100644 .github/workflows/python-publish.yml
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
deleted file mode 100644
index 1fbccb27..00000000
--- a/.github/workflows/python-publish.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-name: Upload Python Package
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-
-jobs:
-  deploy:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v6
-      with:
-        # Fetch all history so that setuptools_scm works correctly
-        fetch-depth: 0
-    - name: Set up Python
-      uses: actions/setup-python@v6
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      # Install build and packaging dependencies.
-      # setuptools-scm is necessary for ensuring all files from VCS (such as
-      # examples) are in the sdist.
-      run: pip install -U pip build twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python -m build
-        twine upload dist/*
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..00942af9
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,27 @@
+name: Upload Python Package
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: pip install -U pip build
+    - name: Build and publish
+      run: python -m build
+    - name: Upload package to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1