From 2e668d4d8fc8467ca5f8616be154f54728077549 Mon Sep 17 00:00:00 2001
From: Gerrod Ubben <gerrodubben@gmail.com>
Date: Tue, 28 Oct 2025 14:42:04 -0400
Subject: [PATCH] Test out using PyPI's Trusted Publisher

(cherry picked from commit 2a2d2f66045447b1227434208c2105d0881108f4)
---
 .github/workflows/publish.yml | 70 ++++++++---------------------------
 1 file changed, 16 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index cba619d0..92342372 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,83 +23,45 @@ jobs:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    environment:
+      name: "pypi"
+      url: "https://pypi.org/p/pulp-ostree"
+    permissions:
+      id-token: "write"
 
     steps:
-      - uses: "actions/checkout@v4"
-        with:
-          fetch-depth: 1
-          path: "pulp_ostree"
-
       - uses: "actions/download-artifact@v4"
         with:
           name: "plugin_package"
-          path: "pulp_ostree/dist/"
+          path: "dist/"
 
-      - uses: "actions/setup-python@v5"
-        with:
-          python-version: "3.11"
-
-      - name: "Install python dependencies"
-        run: |
-          echo ::group::PYDEPS
-          pip install twine
-          echo ::endgroup::
-
-      - name: "Setting secrets"
-        run: |
-          python3 .github/workflows/scripts/secrets.py "$SECRETS_CONTEXT"
-        env:
-          SECRETS_CONTEXT: "${{ toJson(secrets) }}"
-
-      - name: "Deploy plugin to pypi"
-        run: |
-          .github/workflows/scripts/publish_plugin_pypi.sh ${{ github.ref_name }}
+      - name: "Publish package to PyPI"
+        uses: pypa/gh-action-pypi-publish@release/v1
   publish-python-bindings:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    environment:
+      name: "pypi"
+    permissions:
+      id-token: "write"
 
     steps:
-      - uses: "actions/checkout@v4"
-        with:
-          fetch-depth: 1
-          path: "pulp_ostree"
+      - name: "Clean up dist directory"
+        run: |
+          rm -rf dist/*
 
       - name: "Download Python client"
         uses: "actions/download-artifact@v4"
         with:
           name: "python-client.tar"
-          path: "pulp_ostree/"
 
       - name: "Untar python client packages"
         run: |
           tar -xvf ostree-python-client.tar
 
-      - uses: "actions/setup-python@v5"
-        with:
-          python-version: "3.11"
-
-      - name: "Install python dependencies"
-        run: |
-          echo ::group::PYDEPS
-          pip install twine
-          echo ::endgroup::
-
-      - name: "Setting secrets"
-        run: |
-          python3 .github/workflows/scripts/secrets.py "$SECRETS_CONTEXT"
-        env:
-          SECRETS_CONTEXT: "${{ toJson(secrets) }}"
-
       - name: "Publish client to pypi"
-        run: |
-          bash .github/workflows/scripts/publish_client_pypi.sh ${{ github.ref_name }}
+        uses: pypa/gh-action-pypi-publish@release/v1
   publish-ruby-bindings:
     runs-on: "ubuntu-latest"
     needs: