Use trusted publishing

madig · madig · commit 9994d5ae8692 · 2025-09-22T19:42:53.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -43,6 +43,12 @@ jobs:
     if: contains(github.ref, 'refs/tags/')
     env:
       GH_TOKEN: ${{ github.token }}
+    environment:
+      name: publish-to-pypi
+      url: https://pypi.org/p/uharfbuzz
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted publishing
+
     steps:
     - uses: actions/checkout@v4
       with:
@@ -100,9 +106,6 @@ jobs:
                             $notes \
                             $prerelease
     - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
       run: |
         if [ "$IS_PRERELEASE" == true ]; then
           echo "DEBUG: This is a pre-release"
