- use PyPI "Trusted Publishing"

Author: dataflake

CHANGES.rst

@@ -4,6 +4,9 @@ Change log
 2.2 (unreleased)
 ----------------
 
+- Change ``c-code`` GitHub Actions publishing step to use
+  PyPI's "Trusted Publishing".
+
 - Move package metadata from setup.py to pyproject.toml.
 
 - When moving metadata to ``pyproject.toml``, ignore ``setup py test`` fossils.

src/zope/meta/c-code/tests.yml.j2

@@ -398,8 +398,12 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     # Wait for both build jobs to complete
     needs: [build-package, manylinux]
+    environment:
+      name: pypi
+      url: https://pypi.org/p/%(package_name)s
     permissions:
       contents: read
+      id-token: write  # Mandatory for trusted publishing
 
     steps:
       - name: Download all wheel artifacts
@@ -429,8 +433,6 @@ jobs:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TWINE_PASSWORD }}
           skip-existing: true
           packages-dir: dist/
           verbose: true