Switch to trusted publishing for package upload to PyPI in CI

Trusted publishing (with attestations means I have high confidence that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing.

See [the Python packaging documentation](https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing), [the PyPI documentation](https://docs.pypi.org/trusted-publishers/), and [the official pypi-publish GitHub action documentation](https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing) on trusted publishing.

<details><summary>Implementation (click to expand)</summary>

* Configure (or use an existing) GitHub environment and add to PyPI
* Remove `user` and `password` arguments in the "Publish to PyPI" step of the `pypi` job of the [deploy](https://github.com/Python-Markdown/markdown/blob/master/.github/workflows/deploy.yml) CI workflow
* Add the environment definition to the same `pypi` job
* Add `id-token: write` and `contents: read` permissions to the same `pypi` job
* Optionally remove the `PYPI_PASSWORD` project secret

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Switch to trusted publishing for package upload to PyPI in CI #1560

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Switch to trusted publishing for package upload to PyPI in CI #1560

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions