From 891b8ba74e8be80e4b052c67e4351a23136149af Mon Sep 17 00:00:00 2001
From: Guillaume Mulocher <gmulocher@arista.com>
Date: Tue, 24 Dec 2024 16:51:45 +0100
Subject: [PATCH] ci: Add environment to protect publishing (#979)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: Add environment to protect publishing

* Update .github/workflows/release.yml

* Update .github/workflows/release.yml

* Update .github/workflows/release.yml

---------

Co-authored-by: Matthieu Tâche <tache.matthieu@gmail.com>
---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d32be46df..4b3b35705 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,13 @@ on:
 
 jobs:
   pypi:
-    name: Publish version to Pypi servers
+    name: Publish Python 🐍 distribution 📦 to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://pypi.org/p/anta
+    permissions:
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -19,11 +24,8 @@ jobs:
       - name: Build package
         run: |
           python -m build
-      - name: Publish package to Pypi
+      - name: Publish distribution 📦 to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   release-coverage:
     name: Updated ANTA release coverage badge