Merge pull request #374 from zopefoundation/dataflake/trusted_publishing

Use PyPI "Trusted Publishing"

Author: dataflake

CHANGES.rst

@@ -4,6 +4,10 @@ Change log
 2.2 (unreleased)
 ----------------
 
+- Change ``c-code`` GitHub Actions publishing step to use
+  PyPI's "Trusted Publishing".
+  (`#198 <https://github.com/zopefoundation/meta/issues/198>`_)
+
 - Move package metadata from setup.py to pyproject.toml.
 
 - When moving metadata to ``pyproject.toml``, ignore ``setup py test`` fossils.

src/zope/meta/c-code/tests.yml.j2

@@ -58,10 +58,6 @@ env:
 
   CFLAGS: -O3 -pipe
   CXXFLAGS: -O3 -pipe
-  # Uploading built wheels for releases.
-  # TWINE_PASSWORD is encrypted and stored directly in the
-  # github repo settings.
-  TWINE_USERNAME: __token__
 
   ###
   # caching
@@ -398,8 +394,12 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     # Wait for both build jobs to complete
     needs: [build-package, manylinux]
+    environment:
+      name: pypi
+      url: https://pypi.org/p/%(package_name)s
     permissions:
       contents: read
+      id-token: write  # Mandatory for trusted publishing
 
     steps:
       - name: Download all wheel artifacts
@@ -429,8 +429,6 @@ jobs:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TWINE_PASSWORD }}
           skip-existing: true
           packages-dir: dist/
           verbose: true