From 6d2bdfc98768a8acad911b063ab034448bd1970a Mon Sep 17 00:00:00 2001
From: Keith Battocchi <kebatt@microsoft.com>
Date: Fri, 22 Mar 2024 20:22:49 -0400
Subject: [PATCH] Use OpenID Connect for package publishing

Signed-off-by: Keith Battocchi <kebatt@microsoft.com>
---
 .github/workflows/publish-package.yml | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index 08ead5c6..7cd4322c 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -117,25 +117,17 @@ jobs:
   publish:
     name: Publish to PyPI or TestPyPI
     needs: [merge]
+    permissions:
+      id-token: write
+    if: ${{ inputs.publish }}
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.9
-      - name: Ensure latest pip and setuptools
-        run: python -m pip install --upgrade pip && pip install --upgrade setuptools
-      - name: Install twine
-        run: pip install twine
       - name: Download wheels and sdist
         uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist/
       - name: Upload wheels and sdist to package index
-        run: twine upload dist/*
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_REPOSITORY: ${{ inputs.repository }}
-          TWINE_PASSWORD: ${{ inputs.repository == 'pypi' && secrets.PYPI_UPLOAD_TOKEN  || secrets.TEST_PYPI_UPLOAD_TOKEN }}
-    if: ${{ inputs.publish }}
\ No newline at end of file
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: ${{ inputs.repository == 'testpypi' && 'https://test.pypi.org/legacy/' || '' }}