From 1ad5b5c0f386e082af4a7802dac5d3ce14086f13 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Sun, 21 May 2023 10:32:59 +0200
Subject: [PATCH] ci: transition to pypi trusted workflow release

---
 .github/workflows/publish.yaml | 37 ----------------------
 .github/workflows/release.yaml | 56 ++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 37 deletions(-)
 delete mode 100644 .github/workflows/publish.yaml
 create mode 100644 .github/workflows/release.yaml

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
deleted file mode 100644
index 549e7b7a..00000000
--- a/.github/workflows/publish.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# This is a GitHub workflow defining a set of jobs with a set of steps.
-# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
-#
-# Publish to PyPI on push of version like tags
-#
-name: Publish
-
-on:
-  push:
-    tags: v?[0-9]+.[0-9]+.[0-9]+*
-
-jobs:
-  publish-to-pypi:
-    name: Publish to PyPI
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: "3.10"
-
-      - name: Install build package
-        run: |
-          pip install --upgrade pip
-          pip install build
-          pip freeze
-
-      - name: Build release
-        run: |
-          python -m build --sdist --wheel .
-          ls -alh dist
-
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.8.5
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 00000000..cf0480c0
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,56 @@
+# This is a GitHub workflow defining a set of jobs with a set of steps.
+# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+#
+name: Release
+
+# Always tests wheel building, but only publish to PyPI on pushed tags.
+on:
+  pull_request:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*.yaml"
+      - "!.github/workflows/release.yaml"
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*.yaml"
+      - "!.github/workflows/release.yaml"
+    branches-ignore:
+      - "dependabot/**"
+      - "pre-commit-ci-update-config"
+    tags: ["**"]
+  workflow_dispatch:
+
+jobs:
+  build-release:
+    runs-on: ubuntu-22.04
+    permissions:
+      # id-token=write is required for pypa/gh-action-pypi-publish, and the PyPI
+      # project needs to be configured to trust this workflow.
+      #
+      # ref: https://github.com/jupyterhub/team-compass/issues/648
+      #
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: install build package
+        run: |
+          pip install --upgrade pip
+          pip install build
+          pip freeze
+
+      - name: build release
+        run: |
+          python -m build --sdist --wheel .
+          ls -l dist
+
+      - name: publish to pypi
+        uses: pypa/gh-action-pypi-publish@release/v1
+        if: startsWith(github.ref, 'refs/tags/')