Upgrade PyPI upload workflow to use Trusted Publishing (psf#4589) (psf#4611)

* Upgrade PyPI upload workflow to use Trusted Publishing

* Add changelog entry for PyPI Trusted Publishing upgrade

* Added PR number for changelog CI

---------

Co-authored-by: Cooper Lees <[email protected]>

Author: ahmed5145

.github/workflows/pypi_upload.yml

@@ -10,12 +10,16 @@ on:
 
 permissions:
   contents: read
+  id-token: write # Required for PyPI trusted publishing
 
 jobs:
   main:
     name: sdist + pure wheel
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -28,19 +32,19 @@ jobs:
           python-version: "3.13"
           allow-prereleases: true
 
-      - name: Install latest pip, build, twine
+      - name: Install latest pip, build
         run: |
           python -m pip install --upgrade --disable-pip-version-check pip
-          python -m pip install --upgrade build twine
+          python -m pip install --upgrade build
 
       - name: Build wheel and source distributions
         run: python -m build
 
       - if: github.event_name == 'release'
-        name: Upload to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: twine upload --verbose -u '__token__' dist/*
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
 
   generate_wheels_matrix:
     name: generate wheels matrix
@@ -91,6 +95,10 @@ jobs:
     name: mypyc wheels ${{ matrix.only }}
     needs: generate_wheels_matrix
     runs-on: ${{ matrix.os }}
+    if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
     strategy:
       fail-fast: false
       matrix:
@@ -112,10 +120,11 @@ jobs:
           path: ./wheelhouse/*.whl
 
       - if: github.event_name == 'release'
-        name: Upload wheels to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: pipx run twine upload --verbose -u '__token__' wheelhouse/*.whl
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: wheelhouse/
+          verbose: true
 
   update-stable-branch:
     name: Update stable branch

CHANGES.md

@@ -45,6 +45,8 @@
 
 <!-- For example, Docker, GitHub Actions, pre-commit, editors -->
 
+- Upgraded PyPI upload workflow to use Trusted Publishing (#4611)
+
 ### Documentation
 
 <!-- Major changes to documentation and policies. Small docs changes