From 2095ced3b3955a98f21c49756b359441878c0a4b Mon Sep 17 00:00:00 2001
From: wpbonelli <wbonelli@ucar.edu>
Date: Tue, 12 Sep 2023 09:25:37 -0400
Subject: [PATCH] ci: update release.yml for trusted publishing to PyPI (#115)

---
 .github/workflows/release.yml | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ad286b2..7a2bd3a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -164,6 +164,10 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write  # mandatory for trusted publishing
+    environment:  # requires a 'release' environment in repo settings
+      name: release
+      url: https://pypi.org/p/modflow-devtools
     steps:
 
       - name: Checkout main branch
@@ -188,12 +192,14 @@ jobs:
       - name: Check package
         run: twine check --strict dist/*
 
-      - name: Publish package
-        if: ${{ env.TWINE_USERNAME != '' }}
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-        run: twine upload dist/*
+      - name: Upload package
+        uses: actions/upload-artifact@v3
+        with:
+          name: dist
+          path: dist
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
   reset:
     name: Draft reset PR