From b2f44b9b9b3f4780668906e90fef1e5e61c285dd Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Wed, 28 Jan 2026 10:43:45 -0800
Subject: [PATCH] Migrate PyPI publishing to Trusted Publishing (OIDC) (#8420)

* Initial plan

* Migrate publish-pypi job to PyPI Trusted Publishing (OIDC)

Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>
---
 .github/workflows/release.yml | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4f2071119..109703816 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -650,26 +650,18 @@ jobs:
     if: ${{ github.event.inputs.publish_pypi == 'true' }}
     needs: [python-package]
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
-      
-      - name: Setup Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.x'
-      
       - name: Download Python packages
         uses: actions/download-artifact@v7.0.0
         with:
           name: PythonPackage
           path: dist
       
-      - name: Install twine
-        run: python3 -m pip install --user -U setuptools importlib_metadata wheel twine
-      
       - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: python3 -m twine upload dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist