From f1681c1a0a604e198fe319fb811751d51cff93db Mon Sep 17 00:00:00 2001
From: Matt Wozniski <godlygeek@gmail.com>
Date: Fri, 15 May 2026 10:12:32 -0700
Subject: [PATCH] ci: Switch to Trusted Publishing

Stop using long-lived secrets for PyPI publishing.

Signed-off-by: Matt Wozniski <godlygeek@gmail.com>
---
 .github/workflows/build_wheels.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml
index 22cb40fd..8d7dc757 100644
--- a/.github/workflows/build_wheels.yml
+++ b/.github/workflows/build_wheels.yml
@@ -413,6 +413,8 @@ jobs:
     needs: [test_wheels]
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      id-token: write # Required to retrieve a Trusted Publishing token
     steps:
       - uses: actions/download-artifact@v8
         with:
@@ -426,4 +428,3 @@ jobs:
       - uses: pypa/gh-action-pypi-publish@release/v1
         with:
           skip_existing: true
-          password: ${{ secrets.PYPI_PASSWORD }}