From abab58e85425231a26626727a89edb2693225542 Mon Sep 17 00:00:00 2001
From: Serge Smertin <259697+nfx@users.noreply.github.com>
Date: Thu, 11 Jul 2024 15:45:18 +0200
Subject: [PATCH] Unify PyPI release via GitHub OIDC

---
 .../workflows/{onrelease.yml => release.yml}  | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)
 rename .github/workflows/{onrelease.yml => release.yml} (73%)

diff --git a/.github/workflows/onrelease.yml b/.github/workflows/release.yml
similarity index 73%
rename from .github/workflows/onrelease.yml
rename to .github/workflows/release.yml
index 91cfbf74..e7ec05de 100644
--- a/.github/workflows/onrelease.yml
+++ b/.github/workflows/release.yml
@@ -7,12 +7,13 @@ on:
 
 jobs:
   release:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      max-parallel: 1
-      matrix:
-        python-version: [ 3.8 ]
-        os: [ ubuntu-latest ]
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # Used to authenticate to PyPI via OIDC and sign the release's artifacts with sigstore-python.
+      id-token: write
+      # Used to attach signing artifacts to the published release.
+      contents: write
 
     steps:
       - name: Checkout
@@ -44,9 +45,3 @@ jobs:
 
       - name: Publish a Python distribution to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.LABS_PYPI_TOKEN }}
-
-
-