From 1ef6f301ed33a9b61cd371324a405a9811311c41 Mon Sep 17 00:00:00 2001
From: Keith Suderman <suderman@jhu.edu>
Date: Tue, 19 May 2026 14:36:27 -0400
Subject: [PATCH] Use a trusted publisher when publishing to PyPI

---
 .github/workflows/deploy.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 147c9bbf..a909d2a2 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write  # Required for trusted publishing to PyPI
 
 jobs:
   build-n-publish:
@@ -33,11 +34,8 @@ jobs:
     - name: Publish distribution 📦 to Test PyPI
       uses: pypa/gh-action-pypi-publish@v1.14.0
       with:
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
         repository_url: https://test.pypi.org/legacy/
         skip_existing: true
     - name: Publish distribution 📦 to PyPI
       if: github.event_name == 'release'
       uses: pypa/gh-action-pypi-publish@v1.14.0
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}