From 3f635f27dffe0213a001a0689ec6e916ab0a7b27 Mon Sep 17 00:00:00 2001
From: Jonathan Chang <me@jonathanchang.org>
Date: Mon, 16 Dec 2024 13:05:14 -0800
Subject: [PATCH 1/2] Set up trusted publishing

---
 .github/workflows/pythonpackage.yml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
index d18adae..75557ff 100644
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@@ -72,8 +72,20 @@ jobs:
         with:
           name: ${{ steps.build.outputs.version }}
           path: dist
-      - if: startsWith(github.event.ref, 'refs/tags') && matrix.python-version == '3.13'
-        uses: pypa/gh-action-pypi-publish@v1.12.3
+  publish-to-pypi:
+    name: Publish distribution to PyPI
+    if: startsWith(github.event.ref, 'refs/tags')
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/tact
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
         with:
-          user: __token__
-          password: ${{ secrets.pypi_key }}
+          name: ${{ steps.build.outputs.version }}
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

From 5649266be612361cc05da7c8a69123b4eaed751c Mon Sep 17 00:00:00 2001
From: Jonathan Chang <me@jonathanchang.org>
Date: Mon, 16 Dec 2024 13:09:01 -0800
Subject: [PATCH 2/2] Use GHA env variables

---
 .github/workflows/pythonpackage.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
index 75557ff..bfd2dbe 100644
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@@ -40,7 +40,7 @@ jobs:
         run: |
           # double echo to strip whitespace
           gitd=$(echo $(git describe --tags))
-          echo "::set-output name=tag::$gitd"
+          echo "tag=$gitd"' >> $GITHUB_OUTPUT
           poetryv=$(echo v$(poetry version | cut -d ' ' -f2))
           echo $gitd
           echo $poetryv
@@ -64,7 +64,7 @@ jobs:
           # Torture git-describe into an acceptable Python version format
           new_tag=$(git describe --tags | cut -c2- | sed 's/-/+/' | sed 's/-/./g')
           echo $new_tag
-          echo "::set-output name=version::$new_tag"
+          echo "version=$new_tag" >> $GITHUB_OUTPUT
           poetry version $new_tag
           poetry build
       - uses: actions/upload-artifact@v4