From 63b50450fb1def237b9e87453628e7f1021c3f84 Mon Sep 17 00:00:00 2001
From: Oleh Prypin <oleh@pryp.in>
Date: Mon, 18 Sep 2023 18:13:47 +0200
Subject: [PATCH] Change PyPI deploy to rely on "trusted publishers" (#3400)

---
 .github/workflows/deploy-release.yml | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/deploy-release.yml b/.github/workflows/deploy-release.yml
index d1aedce2..bd62c49b 100644
--- a/.github/workflows/deploy-release.yml
+++ b/.github/workflows/deploy-release.yml
@@ -1,28 +1,22 @@
-name: deploy-release
-
+name: Deploy release
 on:
   push:
     tags:
-    - '*'
-
+      - '*'
 jobs:
   pypi:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.10'
-      - name: Install Hatch
-        run: |
-          python -m pip install -U hatch
+          python-version: '3.11'
+      - name: Install dependencies
+        run: pip install -U build
       - name: Build package
-        run: |
-          hatch build
-      - name: Publish
-        run: |
-          hatch publish
-        env:
-          HATCH_INDEX_USER: __token__
-          HATCH_INDEX_AUTH: ${{ secrets.PYPI_PASSWORD }}
+        run: python -m build
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1