From 9d3261661cd715d394f235e9d16af3919f13ee86 Mon Sep 17 00:00:00 2001
From: Serge Smertin <259697+nfx@users.noreply.github.com>
Date: Thu, 11 Jul 2024 15:30:32 +0200
Subject: [PATCH] Unify PyPI releases with GitHub OIDC

---
 .../workflows/{pypi_release.yml => release.yml}  | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
 rename .github/workflows/{pypi_release.yml => release.yml} (70%)

diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/release.yml
similarity index 70%
rename from .github/workflows/pypi_release.yml
rename to .github/workflows/release.yml
index a86e824..15a0196 100644
--- a/.github/workflows/pypi_release.yml
+++ b/.github/workflows/release.yml
@@ -4,15 +4,16 @@ on:
   push:
     tags:
       - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
-    branches:
-      - master
 
 jobs:
   release-pipeline:
-
     runs-on: ubuntu-latest
-    strategy:
-      max-parallel: 4
+    environment: release
+    permissions:
+      # Used to authenticate to PyPI via OIDC and sign the release's artifacts with sigstore-python.
+      id-token: write
+      # Used to attach signing artifacts to the published release.
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -37,7 +38,4 @@ jobs:
           python -m build
 
       - name: Publish distribution 📦 to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.LABS_PYPI_TOKEN }}
\ No newline at end of file
+        uses: pypa/gh-action-pypi-publish@release/v1
\ No newline at end of file