From 34c21ddf0cfcb3b4fa20c492aa2a3563fbb12ccc Mon Sep 17 00:00:00 2001
From: Bill Little <bill.james.little@gmail.com>
Date: Tue, 1 Jul 2025 22:51:34 +0100
Subject: [PATCH 1/2] pypi: use trusted publishing for binary wheels

---
 .github/workflows/ci-wheels.yml | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci-wheels.yml b/.github/workflows/ci-wheels.yml
index 1bbb651dd5..f812d02a24 100644
--- a/.github/workflows/ci-wheels.yml
+++ b/.github/workflows/ci-wheels.yml
@@ -129,6 +129,10 @@ jobs:
     needs: test-wheel
     name: "publish to test.pypi"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: test-pypi
+
     # upload to Test PyPI for every commit on main branch
     # and check for the SciTools repo
     if: github.event_name == 'push' && github.event.ref == 'refs/heads/main' && github.repository_owner == 'SciTools'
@@ -138,18 +142,20 @@ jobs:
         name: pypi-artifacts
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
-        print_hash: true
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
+        print-hash: true
 
   publish-artifacts-pypi:
     needs: test-wheel
     name: "publish to pypi"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: pypi
+
     # upload to PyPI for every tag starting with 'v'
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && github.repository_owner == 'SciTools'
     steps:
@@ -158,8 +164,6 @@ jobs:
         name: pypi-artifacts
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
-        print_hash: true
+        print-hash: true

From d00555f37ffe4031b03674f5f03f6816cf9031a1 Mon Sep 17 00:00:00 2001
From: Bill Little <bill.james.little@gmail.com>
Date: Wed, 2 Jul 2025 15:11:21 +0100
Subject: [PATCH 2/2] add whatsnew entry

---
 docs/src/whatsnew/latest.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/src/whatsnew/latest.rst b/docs/src/whatsnew/latest.rst
index dfe45c3386..bee81a3c31 100644
--- a/docs/src/whatsnew/latest.rst
+++ b/docs/src/whatsnew/latest.rst
@@ -142,6 +142,11 @@ This document explains the changes made to Iris for this release
    benchmark data generation, showing developers the root problem at-a-glance
    without needing local replication. (:pull:`6524`)
 
+#. `@bjlittle`_ added support for `Trusted Publishing`_ of source distributions
+   and binary wheels to PyPI and Test PyPI. (:pull:`6543`)
+
+
+
 
 .. comment
     Whatsnew author names (@github name) in alphabetical order. Note that,
@@ -152,3 +157,5 @@ This document explains the changes made to Iris for this release
 
 .. comment
     Whatsnew resources in alphabetical order:
+
+.. _Trusted Publishing: https://docs.pypi.org/trusted-publishers/