From 956e394e1b1d18efbec87691f8dd7a9ba6930f94 Mon Sep 17 00:00:00 2001
From: Julian Berman <Julian@GrayVines.com>
Date: Wed, 17 May 2023 09:55:41 -0400
Subject: [PATCH] Move to using Trusted Publishers.

See https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
---
 .github/workflows/ci.yml | 37 ++++++++++++++++---------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6a6d413..07664ae 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,7 +12,6 @@ on:
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: "1"
   PIP_NO_PYTHON_VERSION_WARNING: "1"
-  PYTHON_LATEST: "3.11"
 
 jobs:
   pre-commit:
@@ -21,7 +20,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: ${{ env.PYTHON_LATEST }}
+          python-version: "3.x"
       - uses: pre-commit/action@v3.0.0
 
   list:
@@ -56,14 +55,14 @@ jobs:
         run: >
           sudo apt-get update &&
           sudo apt-get install -y libenchant-2-dev
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && startsWith(matrix.noxenv, 'docs')
       - name: Install dependencies
         run: brew install enchant
-        if: runner.os == 'macOS'
+        if: runner.os == 'macOS' && startsWith(matrix.noxenv, 'docs')
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: ${{ env.PYTHON_LATEST }}
+          python-version: "3.x"
       - name: Set up nox
         uses: wntrblm/nox@2023.04.22
       - name: Run nox
@@ -72,34 +71,30 @@ jobs:
   packaging:
     needs: ci
     runs-on: ubuntu-latest
+    environment:
+      name: PyPI
+      url: https://pypi.org/p/jsonschema-specifications
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: ${{ env.PYTHON_LATEST }}
+          python-version: "3.x"
       - name: Install dependencies
         run: python -m pip install build
       - name: Create packages
         run: python -m build .
-      - uses: actions/upload-artifact@v3
-        with:
-          name: dist
-          path: dist
-      - name: Publish the package
+      - name: Publish to PyPI
         if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.pypi_password }}
       - name: Create a Release
         if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
-        uses: actions/github-script@v6
+        uses: softprops/action-gh-release@v1
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-          script: |
-            await github.request(`POST /repos/${{ github.repository }}/releases`, {
-              tag_name: "${{ github.ref }}",
-              generate_release_notes: true
-            });
+          files: |
+            dist/*
+          generate_release_notes: true