From 0814e4e7d26050778c0d535a213094164b816e0a Mon Sep 17 00:00:00 2001
From: Jake Lishman <jake.lishman@ibm.com>
Date: Fri, 6 Jun 2025 13:48:14 +0100
Subject: [PATCH] Switch to trusted publishers

---
 .github/workflows/release.yml | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 974874d..a805d2f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,8 +6,8 @@ on:
       - '*'
 
 jobs:
-  deploy-package:
-    name: Publish package
+  build-package:
+    name: Build package for publication
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -24,15 +24,27 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
+          name: openqasm3_pygments-dist
           path: |
             ./dist/*.whl
             ./dist/*.tar.gz
 
-      - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.OPENQASM_BOT_PYPI_TOKEN }}
-        run: twine upload dist/*.whl dist/*.tar.gz
+  deploy-package:
+    name: Deploy package to PyPI
+    runs-on: ubuntu-latest
+    needs: ["build-package"]
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: openqasm3_pygments-dist
+          path: dist
+
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist
 
       - name: Publish to GitHub
         uses: softprops/action-gh-release@v2