From 8255fbfdef3e932f7ff48f3592a7fe2aff6f48f4 Mon Sep 17 00:00:00 2001
From: Stefan VanBuren <svanburen@buf.build>
Date: Thu, 31 Jul 2025 11:37:26 -0400
Subject: [PATCH] Set up trusted publishing

I've added a [trusted publisher][1] to our PyPI org. This just completes
the process, following the step below.

Ref: https://docs.pypi.org/trusted-publishers/using-a-publisher/#github-actions

[1]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
---
 .github/workflows/release.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f6fda7ec..bec89bc5 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,12 +29,13 @@ jobs:
           path: dist/
 
   publish:
-    # TODO: trusted publisher
-    # https://docs.astral.sh/uv/guides/publish/#publishing-your-package
     name: Publish on PyPI
     runs-on: ubuntu-latest
     environment:
       name: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     needs: build
     steps:
       - name: Checkout source
@@ -50,5 +51,3 @@ jobs:
 
       - name: Publish on PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}