From f56cc09d126c2b4b9f4494b232b27861c5526d0a Mon Sep 17 00:00:00 2001
From: Konstantin Chernyshev <k4black@ya.ru>
Date: Wed, 1 Nov 2023 20:57:57 +0100
Subject: [PATCH] ci(pip): move to trusted publishing

---
 .github/workflows/publish.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 48bf76a..1f39ac1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -58,15 +58,17 @@ jobs:
   release-python-package:
     needs: [external-build-workflow, update-version-and-changelog]
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/codebleu
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact  # if `name: artifact` is omitted, the action will create extra parent dir
           path: dist
-      # TODO: Trusted publishing
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_TOKEN }}
 
   sync-to-hf-hub:
     needs: update-version-and-changelog