From 4fa1dcf74ac8a9486538b3820db21020cdf9a1cd Mon Sep 17 00:00:00 2001
From: Julia Signell <jsignell@gmail.com>
Date: Tue, 11 Mar 2025 11:31:11 -0400
Subject: [PATCH] Use trusted publisher for pypi

---
 .github/workflows/release.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0e5f150..0f47850 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,12 @@ jobs:
   build-n-publish:
     name: Build and publish to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/x/xpystac
+    permissions:
+      id-token: write
+    if: ${{ github.repository }} == 'stac-utils/xpystac'
 
     steps:
       - name: checkout repo
@@ -26,7 +32,3 @@ jobs:
 
       - name: Publish distribution to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          # Password is set in GitHub UI to an API secret for pypi
-          user: __token__
-          password: ${{ secrets.PYPI_API_KEY }}