From 7e7bd7581af7b4d76cb8146574168362bdb47331 Mon Sep 17 00:00:00 2001
From: Jan Richter <jarichte@redhat.com>
Date: Fri, 3 May 2024 15:11:54 +0200
Subject: [PATCH] PyPI release update

This commit updates the pypi release process. It uses PyPI Trusted
Publisher Management and gh-action-pypi-publish action instead of
private token. This change will make our pypi process more simple and
more secure.

Reference: #5903
Signed-off-by: Jan Richter <jarichte@redhat.com>
---
 .github/workflows/release.yml | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 014c83956b..f6a5d87777 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -80,12 +80,25 @@ jobs:
         run: |
           make -f Makefile.gh build-update-readthedocs
       - run: echo "In a few minutes the release documentation will be available in https://${{ github.event.inputs.rtd_project }}.readthedocs.io/en/${{ github.event.inputs.version }}/"
-      - name: Upload to pypi
-        continue-on-error: true
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USER }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWD }}
-        run: make -f Makefile.gh update-pypi
+
+  publish-to-pypi:
+    name: Publish Avocado to PyPI
+    needs:
+    - release
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/avocado-framework
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the wheels
+      uses: actions/download-artifact@v4
+      with:
+        name: wheel
+        path: dist/
+    - name: Publish avocado to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
 
   build-and-publish-eggs:
     name: Build eggs and publish them