From 10aab60a279f79eee9a5b3d3821daf543a39e870 Mon Sep 17 00:00:00 2001
From: Louis Maddox <louismmx@gmail.com>
Date: Sat, 2 May 2026 17:46:38 +0100
Subject: [PATCH] chore(ci): upgrade PyPI CI job to use Trusted Publishing

---
 .github/workflows/publish.yml | 47 ++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c1b7ca9b2..f3c73a29a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -29,10 +29,6 @@ permissions:
 
 jobs:
   build_and_publish:
-    # This job builds the wheels and publishes them to PyPI for all
-    # tags, except those ending in ".dev". For PRs with the "Build all
-    # wheels" label, wheels are built, but are not uploaded to PyPI.
-
     permissions:
       contents: none
 
@@ -47,15 +43,8 @@ jobs:
         contains(github.event.pull_request.labels.*.name, 'Build all wheels')
       )
     with:
-      # We upload to PyPI for all tag pushes, except tags ending in .dev
-      upload_to_pypi: >-
-        ${{ startsWith(github.ref, 'refs/tags/') &&
-            !endsWith(github.ref, '.dev') &&
-            (
-              github.event_name == 'push' ||
-              github.event_name == 'workflow_dispatch'
-            )
-        }}
+      upload_to_pypi: false
+      save_artifacts: true
 
       test_extras: test
       test_command: pytest -p no:warnings --pyargs photutils
@@ -80,5 +69,35 @@ jobs:
       anaconda_keep_n_latest: 10
 
     secrets:
-      pypi_token: ${{ secrets.pypi_token }}
       anaconda_token: ${{ secrets.anaconda_token }}
+
+  upload:
+    # This job builds the wheels and publishes them to PyPI for all
+    # tags, except those ending in ".dev". For PRs with the "Build all
+    # wheels" label, wheels are built, but are not uploaded to PyPI.
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/project/photutils/
+    # We upload to PyPI for all tag pushes, except tags ending in .dev
+    if: >-
+      ${{ startsWith(github.ref, 'refs/tags/') &&
+          !endsWith(github.ref, '.dev') &&
+          (
+            github.event_name == 'push' ||
+            github.event_name == 'workflow_dispatch'
+          )
+      }}
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: [build_and_publish]
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          merge-multiple: true
+          pattern: dist-*
+          path: dist
+      - name: Upload to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0