From df44438657e3ba4a46acfaab88e48d7e72424121 Mon Sep 17 00:00:00 2001
From: Mike Drob <mdrob@apple.com>
Date: Wed, 27 Aug 2025 11:18:17 -0500
Subject: [PATCH] Use Trusted Publisher for releasing

---
 .github/workflows/ci-release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index cb3732c0..7d6f4e69 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -8,6 +8,9 @@ jobs:
     if: "!github.event.release.prerelease"
     name: Python Release Builder
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python
@@ -26,5 +29,3 @@ jobs:
         build
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
\ No newline at end of file