From e8f33d267787f8247f18152005df5a32032a89d0 Mon Sep 17 00:00:00 2001
From: Ryan Mast <mast9@llnl.gov>
Date: Fri, 2 Feb 2024 14:33:15 -0800
Subject: [PATCH] Use deployment environment with trusted publishing for
 helics_apps PyPI uploads

---
 .github/workflows/pythonpackage.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
index d61357c..e6d1a2a 100644
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@@ -78,18 +78,23 @@ jobs:
     - name: Upload artifacts
       uses: actions/upload-artifact@v4
       with:
-        name: apps-python-dist
+        name: apps-python-sdist
         path: helics_apps-pip/dist/*.tar.gz
 
   publish-helics_apps:
     needs: [build-helics_apps, build-helics_apps-sdist]
     runs-on: ubuntu-latest
     if: github.event.action == 'published' || endsWith(github.ref, 'main')
+    environment:
+      name: pypi
+      url: https://pypi.org/p/helics-apps
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
     - name: Get the built packages
       uses: actions/download-artifact@v3
       with:
-        name: apps-python-dist
+        merge-multiple: true
         path: dist
 
     - name: Publish package to TestPyPI
@@ -103,6 +108,3 @@ jobs:
     - name: Publish package to PyPI
       if: github.event.action == 'published'
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.pypi_helics_apps_password }}