setup trusted publishing rather than PYPI_API_TOKEN secret

- chore(release.yml): configure permissions id-token write
- chore(release.yml): configure environment for pypi
- chore(release.yml): if condition to only run tagged version

.github/workflows/release.yml

@@ -17,8 +17,12 @@ env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
   DEST_FOLDER: dist/
 
+permissions:
+  contents: read  # This is required for actions/checkout
+
 jobs:
   build:
+    if: github.event_name == 'create' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the repo
@@ -55,7 +59,11 @@ jobs:
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
+        environment:
+          name: pypi
+          url: https://pypi.org/p/logging-strict
+        permissions:
+          id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
 
     - name: Release GitHub
       uses: softprops/action-gh-release@v1

CHANGES.rst

@@ -22,6 +22,15 @@ Changelog
 
 .. scriv-start-here
 
+.. _changes_1-2-13:
+
+Version 1.2.13 — 2024-02-29
+---------------------------
+
+- chore(release.yml): configure permissions id-token write
+- chore(release.yml): configure environment for pypi
+- chore(release.yml): if condition to only run tagged version
+
 .. _changes_1-2-12:
 
 Version 1.2.12 — 2024-02-29

docs/conf.py

@@ -60,9 +60,9 @@
 # @@@ editable
 copyright = "2023–2024, Dave Faulkmore"
 # The short X.Y.Z version.
-version = "1.2.12"
+version = "1.2.13"
 # The full version, including alpha/beta/rc tags.
-release = "1.2.12"
+release = "1.2.13"
 # The date of release, in "monthname day, year" format.
 release_date = "February 29, 2024"
 # @@@ end