From 5a7067db322eca37bcd10af743227765bbeb5998 Mon Sep 17 00:00:00 2001
From: Stephen Kent <smkent@smkent.net>
Date: Tue, 14 Jan 2025 12:25:09 -0800
Subject: [PATCH] Configure PyPI trusted publishing

---
 tests/test_template.py                                |  2 +-
 .../.github/workflows/cd.yml                          | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/tests/test_template.py b/tests/test_template.py
index 7f1146a..e9ff84c 100644
--- a/tests/test_template.py
+++ b/tests/test_template.py
@@ -132,7 +132,7 @@ def test_rendered_project(
         cd_data = yaml.safe_load(f.read())
     assert ci_data["env"]["ENABLE_COVERAGE"] == enable_coverage
     assert cd_data["env"]["ENABLE_PYPI_PUBLISH"] == enable_pypi_publish
-    assert cd_data["env"]["ENABLE_TEST_PYPI_PUBLISH"] == enable_pypi_publish
+    assert cd_data["env"]["ENABLE_TEST_PYPI_PUBLISH"] is False
 
     assert not (
         subprocess.check_output(
diff --git a/{{cookiecutter.project_name}}/.github/workflows/cd.yml b/{{cookiecutter.project_name}}/.github/workflows/cd.yml
index 831b78c..4352a9d 100644
--- a/{{cookiecutter.project_name}}/.github/workflows/cd.yml
+++ b/{{cookiecutter.project_name}}/.github/workflows/cd.yml
@@ -3,7 +3,7 @@ name: Release
 
 env:
   ENABLE_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
-  ENABLE_TEST_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
+  ENABLE_TEST_PYPI_PUBLISH: false
   RELEASE_PYTHON_VERSION: "3.12"
   RELEASE_POETRY_VERSION: "2.0"
 
@@ -11,7 +11,6 @@ on:
   push:
     tags:
       - '*'
-  workflow_dispatch:
 
 jobs:
   Publish:
@@ -19,6 +18,11 @@ jobs:
 
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/{{ cookiecutter.project_name }}
+    permissions:
+      id-token: write
 
     steps:
       - name: 💾 Check out repository
@@ -49,15 +53,12 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ "{{" }} env.ENABLE_TEST_PYPI_PUBLISH == 'true' }}
         with:
-          password: ${{ "{{" }} secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
 
       - name: ☢️ Publish to PyPI
         if: ${{ "{{" }} env.ENABLE_PYPI_PUBLISH == 'true' }}
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ "{{" }} secrets.PYPI_API_TOKEN }}
 
 concurrency:
   group: ${{ "{{" }} github.workflow }}-${{ "{{" }} github.ref }}