Enable trusted publishing (#6)

Author: maresb

.github/workflows/publish.yml

@@ -10,21 +10,39 @@ on:
       - v*
 
 jobs:
+  build-package:
+    runs-on: ubuntu-latest
+    permissions:
+      # write attestations and id-token are necessary for attest-build-provenance-github
+      attestations: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: hynek/build-and-inspect-python-package@v2
+        with:
+          # Prove that the packages were built in the context of this workflow.
+          attest-build-provenance-github: true
   publish:
     runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
+    # workflow by requiring signoff from a maintainer.
+    environment: release
+    needs: build-package
+    permissions:
+      # write id-token is necessary for trusted publishing (OIDC)
+      id-token: write
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Download Distribution Artifacts
+        uses: actions/download-artifact@v4
         with:
-          python-version: "3.10"
-      - name: Install build dependencies
-        run: python -m pip install build
-      - name: Build package
-        run: python -m build
-      - name: Publish to PyPI
+          # The build-and-inspect-python-package action invokes upload-artifact.
+          # These are the correct arguments from that action.
+          name: Packages
+          path: dist
+      - name: Publish Package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+        # Implicitly attests that the packages were uploaded in the context of this workflow.