use openID connect to authenticate PyPI

Author: maximvochten

.github/workflows/publish-to-pypi.yml

@@ -5,8 +5,12 @@ on:
     types: [published]
 
 jobs:
-  deploy:
+  pypi-publish:
+    name: upload release to PyPI
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python
@@ -17,9 +21,8 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install poetry
-    - name: Build and publish
-      env:
-        PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+    - name: Build
       run: |
         poetry build
-        poetry publish --username __token__ --password $PYPI_API_TOKEN
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1