From b5db072afac42005779c9c162110946da03824c5 Mon Sep 17 00:00:00 2001
From: Frost Ming <me@frostming.com>
Date: Tue, 9 May 2023 16:35:24 +0800
Subject: [PATCH] chore: update docs

Signed-off-by: Frost Ming <me@frostming.com>
---
 .github/workflows/release.yml |  1 +
 CHANGELOG.md                  |  2 +-
 docs/docs/usage/publish.md    | 22 ++++++++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ff81ad1221..32552ded3e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: write
 
     steps:
       - uses: actions/checkout@v3
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8ce894591..32d056eef6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@ Release v2.6.0 (2023-05-09)
 - Added a `--json` flag to both `run` and `info` command allowing to dump scripts and infos as JSON. [#1854](https://github.com/pdm-project/pdm/issues/1854)
 - Consider tasks with a name starting by an underscore (`_`) as internal tasks and hide them from the listing. [#1855](https://github.com/pdm-project/pdm/issues/1855)
 - When running `pdm init -n`(non-interactive mode), a venv will be created by default. Previously, the selected Python will be used under PEP 582 mode. [#1862](https://github.com/pdm-project/pdm/issues/1862)
-- Support [Trusted Publisher](https://docs.pypi.org/trusted-publishers/using-a-publisher/). [#1868](https://github.com/pdm-project/pdm/issues/1868)
+- Support [Trusted Publisher](https://docs.pypi.org/trusted-publishers/). [#1868](https://github.com/pdm-project/pdm/issues/1868)
 - Add an ephemeral wheel cache in process for wheels built from non-static revision sources. [#1885](https://github.com/pdm-project/pdm/issues/1885)
 - Allow self-referencing groups in dev-dependencies. [#1890](https://github.com/pdm-project/pdm/issues/1890)
 - Add an option `--no-cross-platform` to `pdm lock` to create a non-cross-platform lockfile. [#1898](https://github.com/pdm-project/pdm/issues/1898)
diff --git a/docs/docs/usage/publish.md b/docs/docs/usage/publish.md
index 9b6c630fe7..350c17034b 100644
--- a/docs/docs/usage/publish.md
+++ b/docs/docs/usage/publish.md
@@ -15,6 +15,28 @@ pdm publish --repository testpypi
 pdm publish --repository https://test.pypi.org/legacy/
 ```
 
+## Publish with trusted publishers
+
+You can configure trusted publishers for PyPI so that you don't need to expose the PyPI tokens in the release workflow. To do this, follow
+[the guide](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) to add a publisher and write the GitHub Actions workflow as below:
+
+```yaml
+jobs:
+  pypi-publish:
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: pdm-project/setup-pdm@v3
+
+      - name: Publish package distributions to PyPI
+        runs: pdm publish
+```
+
 ## Build and publish separately
 
 You can also build the package and upload it in two steps, to allow you to inspect the built artifacts before uploading.