From 4244ca4af68c2be05faa0f212633c2c919850bc8 Mon Sep 17 00:00:00 2001
From: Justus Magin <keewis@users.noreply.github.com>
Date: Sat, 22 Jun 2024 23:43:59 +0200
Subject: [PATCH] use trusted publishers to publish to PyPI (#261)

* use trusted publishers to publish

* remove the redundant `black` hook
---
 .github/workflows/pypi.yaml | 61 +++++++++++++++++++++++++++++--------
 .pre-commit-config.yaml     |  1 -
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml
index 08c38a69..57e99808 100644
--- a/.github/workflows/pypi.yaml
+++ b/.github/workflows/pypi.yaml
@@ -2,31 +2,66 @@ name: Upload Package to PyPI
 
 on:
   release:
-    types: [created]
+    types:
+      - published
 
 jobs:
-  deploy:
+  build-artifacts:
     runs-on: ubuntu-latest
     if: github.repository == 'xarray-contrib/pint-xarray'
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
         with:
-          python-version: '3.x'
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v5
+        name: Install Python
+        with:
+          python-version: "3.x"
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           python -m pip install build twine
-      - name: Build
+
+      - name: Build tarball and wheels
         run: |
-          python -m build --sdist --wheel --outdir dist/ .
-      - name: Check the built archives
+          git clean -xdf
+          git restore -SW .
+          python -m build --outdir dist/ .
+
+      - name: Check built artifacts
         run: |
-          twine check dist/*
-      - name: Publish to PyPI
+          python -m twine check --strict dist/*
+          pwd
+          if [ -f dist/pint-xarray-0.0.0.tar.gz ]; then
+            echo "❌ INVALID VERSION NUMBER"
+            exit 1
+          else
+            echo "✅ Looks good"
+          fi
+      - uses: actions/upload-artifact@v4
+        with:
+          name: releases
+          path: dist
+
+  upload-to-pypi:
+    needs: build-artifacts
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pint-xarray
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: releases
+          path: dist
+      - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450
         with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
-          repository_url: https://upload.pypi.org/legacy/
+          verbose: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6e21d23e..9da55995 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,7 +19,6 @@ repos:
   - repo: https://github.com/psf/black
     rev: 24.4.2
     hooks:
-      - id: black
       - id: black-jupyter
   - repo: https://github.com/keewis/blackdoc
     rev: v0.3.9