Use trusted publishing for package uploads

.github/workflows/publish.yml

@@ -5,23 +5,39 @@ on:
     types: [created]
 
 jobs:
-  deploy:
+  build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Set up Python 3.8
+    - name: Set up Python 3.9
       uses: actions/setup-python@v5
       with:
-        python-version: 3.8
+        python-version: 3.9
     - name: Install build dependencies
       run: |
         python -m pip install --upgrade pip wheel build
     - name: Build package
       run: |
         python -m build
-    - name: Publish a Python distribution to PyPI
-      uses: pypa/[email protected]
+    - name: Upload Artifact
+      uses: actions/upload-artifact@v4
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_UPLOAD_API_TOKEN }}
-
+        name: docstring-to-markdown dist ${{ github.run_number }}
+        path: ./dist
+  pypi-publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: [build]
+    environment:
+      name: pypi
+      url: https://pypi.org/p/docstring-to-markdown
+    permissions:
+      id-token: write
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: docstring-to-markdown dist ${{ github.run_number }}
+        path: ./dist
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1