Use Trusted publishing for PyPI

Author: dofuuz

.github/workflows/build-dist.yml

@@ -91,6 +91,14 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     # alternatively, to publish when a GitHub Release is created, use the following rule:
     # if: github.event_name == 'release' && github.event.action == 'published'
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/soxr
+    permissions:
+      contents: write
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -99,16 +107,11 @@ jobs:
           merge-multiple: true
 
       - uses: softprops/action-gh-release@v2
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
         with:
           files: |
             dist/*.tar.gz
             dist/*.whl
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          # To test
-          # password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          # repository_url: https://test.pypi.org/legacy/
+        # with:
+        #   repository_url: https://test.pypi.org/legacy/  # To test