Use OpenID Connect for package publishing

Signed-off-by: Keith Battocchi <[email protected]>

Author: kbattocchi

.github/workflows/publish-package.yml

@@ -117,25 +117,17 @@ jobs:
   publish:
     name: Publish to PyPI or TestPyPI
     needs: [merge]
+    permissions:
+      id-token: write
+    if: ${{ inputs.publish }}
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.9
-      - name: Ensure latest pip and setuptools
-        run: python -m pip install --upgrade pip && pip install --upgrade setuptools
-      - name: Install twine
-        run: pip install twine
       - name: Download wheels and sdist
         uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist/
       - name: Upload wheels and sdist to package index
-        run: twine upload dist/*
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_REPOSITORY: ${{ inputs.repository }}
-          TWINE_PASSWORD: ${{ inputs.repository == 'pypi' && secrets.PYPI_UPLOAD_TOKEN  || secrets.TEST_PYPI_UPLOAD_TOKEN }}
-    if: ${{ inputs.publish }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: ${{ inputs.repository == 'testpypi' && 'https://test.pypi.org/legacy/' || '' }}