From bfcd4fd2c3bec027816944a60ca92a270e1c356b Mon Sep 17 00:00:00 2001
From: Graeme Watt <Graeme.Watt@durham.ac.uk>
Date: Tue, 14 Nov 2023 12:34:22 +0000
Subject: [PATCH] ci: switch to PyPI's trusted publishing

* https://github.com/marketplace/actions/pypi-publish#trusted-publishing
---
 .github/workflows/ci.yml | 8 +++++---
 README.rst               | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7ef670d..90df15e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,6 +55,11 @@ jobs:
     needs: test
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/hepdata-validator
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
     - uses: actions/checkout@v3
     - name: Set up Python 3.9
@@ -67,6 +72,3 @@ jobs:
         python setup.py sdist bdist_wheel
     - name: Publish distribution to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}
diff --git a/README.rst b/README.rst
index cd6af1b..789b86a 100644
--- a/README.rst
+++ b/README.rst
@@ -2,7 +2,7 @@
  HEPData Validator
 ==================
 
-.. image:: https://github.com/HEPData/hepdata-validator/workflows/Continuous%20Integration/badge.svg?branch=main
+.. image:: https://github.com/HEPData/hepdata-validator/actions/workflows/ci.yml/badge.svg?branch=main
    :target: https://github.com/HEPData/hepdata-validator/actions?query=branch%3Amain
    :alt: GitHub Actions Build Status