From 408220939c226f2dea350cf3c1dc62304c709508 Mon Sep 17 00:00:00 2001
From: Nikolaus Waxweiler <nikolaus.waxweiler@daltonmaag.com>
Date: Mon, 22 Sep 2025 19:50:19 +0100
Subject: [PATCH] Use trusted publishing

---
 .github/workflows/ci.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 419e619c..11e8f233 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,10 +60,15 @@ jobs:
     needs:
       - lint
       - test
-    # This is required to create a release using Github integration token
-    # https://github.com/softprops/action-gh-release?tab=readme-ov-file#permissions
+    environment:
+      name: publish-to-pypi
+      url: https://pypi.org/p/fontmake
     permissions:
+      # This is required to create a release using Github integration token
+      # https://github.com/softprops/action-gh-release?tab=readme-ov-file#permissions
       contents: write
+      # IMPORTANT: mandatory for trusted publishing:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -101,9 +106,6 @@ jobs:
           echo "IS_PRERELEASE=false" >> "$GITHUB_ENV"
         fi
     - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
       run: |
         if [ "$IS_PRERELEASE" == true ]; then
           echo "DEBUG: This is a pre-release"