From bf1cec800668abb8cbeb7f46f49e3602dd456a12 Mon Sep 17 00:00:00 2001
From: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Date: Sat, 13 Jul 2024 22:12:48 +0200
Subject: [PATCH] Integrate tokenless publishing @ GHA CD workflow

---
 .github/workflows/publish.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 774be5cd..5001afd4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -311,6 +311,14 @@ jobs:
       - test-wheels-arm64-mac
       - test-wheels-windows
 
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    environment:
+      name: pypi
+      url: >-
+        https://pypi.org/project/aiokafka/${{ github.ref_name }}
+
     steps:
       - uses: actions/checkout@v2
       - name: Download distributions
@@ -320,6 +328,3 @@ jobs:
           path: dist/
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: ${{ secrets.PYPI_USERNAME }}
-          password: ${{ secrets.PYPI_PASSWORD }}