Update release workflow to use Trusted Publishing (#2696)

Author: cdce8p

.github/workflows/release.yml

@@ -12,12 +12,10 @@ permissions:
   contents: read
 
 jobs:
-  release-pypi:
-    name: Upload release to PyPI
+  build:
+    name: Build release assets
     runs-on: ubuntu-latest
-    environment:
-      name: PyPI
-      url: https://pypi.org/project/astroid/
+    if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
     steps:
       - name: Check out code from Github
         uses: actions/[email protected]
@@ -31,15 +29,52 @@ jobs:
         run: |
           # Remove dist, build, and astroid.egg-info
           # when building locally for testing!
-          python -m pip install twine build
+          python -m pip install build
       - name: Build distributions
         run: |
           python -m build
+      - name: Upload release assets
+        uses: actions/[email protected]
+        with:
+          name: release-assets
+          path: dist/
+
+  release-pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: ["build"]
+    environment:
+      name: PyPI
+      url: https://pypi.org/project/astroid/
+    permissions:
+      id-token: write
+    steps:
+      - name: Download release assets
+        uses: actions/[email protected]
+        with:
+          name: release-assets
+          path: dist/
       - name: Upload to PyPI
         if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
-        env:
-          TWINE_REPOSITORY: pypi
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: |
-          twine upload --verbose dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  release-github:
+    name: Upload assets to Github release
+    runs-on: ubuntu-latest
+    needs: ["build"]
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download release assets
+        uses: actions/[email protected]
+        with:
+          name: release-assets
+          path: dist/
+      - name: Sign the dists with Sigstore and upload assets to Github release
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
+        uses: sigstore/[email protected]
+        with:
+          inputs: |
+            ./dist/*.tar.gz
+            ./dist/*.whl

ChangeLog

@@ -47,6 +47,10 @@ Release date: TBA
   Closes #2686
   Closes pylint-dev/pylint#8589
 
+* Upload release assets to PyPI via Trusted Publishing.
+
+  Refs pylint-dev/pylint#10256
+
 
 What's New in astroid 3.3.8?
 ============================