From 2ec883c7c2bbca6b716f0d742d005332f5a96abf Mon Sep 17 00:00:00 2001
From: Laurie O <laurie_opperman@hotmail.com>
Date: Thu, 18 Dec 2025 17:45:43 +1000
Subject: [PATCH] Use official action to publish package in CI

This enables trusted publishing (with attestations). Workflow was split
into build and deploy jobs (to minimise privileged token access).
---
 .github/workflows/pypipublish.yaml | 36 +++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pypipublish.yaml b/.github/workflows/pypipublish.yaml
index 821a4bcc9..51082c641 100644
--- a/.github/workflows/pypipublish.yaml
+++ b/.github/workflows/pypipublish.yaml
@@ -5,7 +5,7 @@ on:
     types: [created]
 
 jobs:
-  deploy:
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -17,10 +17,34 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install hatch twine
-      - name: Build and publish
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+      - name: Build
         run: |
           hatch build
-          twine upload dist/*
+      - name: Upload artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: packages
+          path: dist/
+          if-no-files-found: error
+          compression-level: 0
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/p/fsspec
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: packages
+          path: dist/
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true
+          verbose: true