From 5a22fa1a5372b5c5bc19261eb8d17433097d0d4f Mon Sep 17 00:00:00 2001
From: Serge Smertin <259697+nfx@users.noreply.github.com>
Date: Thu, 11 Jul 2024 15:36:14 +0200
Subject: [PATCH] Unify PyPI releases via GitHub OIDC

---
 .../workflows/{onrelease.yml => release.yml}  | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)
 rename .github/workflows/{onrelease.yml => release.yml} (74%)

diff --git a/.github/workflows/onrelease.yml b/.github/workflows/release.yml
similarity index 74%
rename from .github/workflows/onrelease.yml
rename to .github/workflows/release.yml
index 11bc9922..f374d26f 100644
--- a/.github/workflows/onrelease.yml
+++ b/.github/workflows/release.yml
@@ -7,20 +7,21 @@ on:
 
 jobs:
   release:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      max-parallel: 1
-      matrix:
-        python-version: [ 3.9 ]
-        os: [ ubuntu-latest ]
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # Used to authenticate to PyPI via OIDC and sign the release's artifacts with sigstore-python.
+      id-token: write
+      # Used to attach signing artifacts to the published release.
+      contents: write
 
     steps:
       - uses: actions/checkout@v1
 
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up Python
         uses: actions/setup-python@v1
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: 3.9
 
       - uses: actions/cache@v2
         id: cache
@@ -44,6 +45,4 @@ jobs:
       - name: Publish a Python distribution to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.LABS_PYPI_TOKEN }}
           packages_dir: python/dist/