From 34942b450ea763dbd9171439251d06e9082dbad7 Mon Sep 17 00:00:00 2001
From: Paul Hewlett <phewlett76@gmail.com>
Date: Mon, 31 Mar 2025 18:07:44 +0100
Subject: [PATCH] Use environment and trusted publisher

Set environment permissions in publish github-action.

AB#10628

Signed-off-by: Paul Hewlett <phewlett76@gmail.com>
---
 .github/workflows/python-publish.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index d6f8de0..f7aa774 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -9,6 +9,9 @@ on:
 
 jobs:
   deploy:
+    environment: release
+    permissions:
+      id-token: write # This is required for requesting the JWT
 
     runs-on: ubuntu-latest
 
@@ -18,21 +21,22 @@ jobs:
       uses: actions/setup-python@v5
       with:
         python-version: '3.x'
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         python3 -m pip install -r requirements-dev.txt
         pip install setuptools wheel
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+      shell: bash
+
+    - name: Create wheel
       run: |
         rm -f archivist_samples/about.py
         ./scripts/version.sh
         cat archivist_samples/about.py
         python3 -m build --sdist
         python3 -m build --wheel
+      shell: bash
 
     - name: Publish to PyPi
       uses: pypa/gh-action-pypi-publish@release/v1