From 3577b1e3719d4648fa973dbdec927f78f9df34dd Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Sun, 9 Jul 2023 15:19:46 +0200
Subject: [PATCH] =?UTF-8?q?[PR=20#7359/7911f1e9=20backport][3.8]=20?=
 =?UTF-8?q?=EF=A3=94=20Set=20up=20secretless=20publishing=20to=20PyPI=20(#?=
 =?UTF-8?q?7360)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sviatoslav Sydorenko <sviat@redhat.com>
---
 .github/workflows/{ci.yml => ci-cd.yml} | 32 +++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)
 rename .github/workflows/{ci.yml => ci-cd.yml} (91%)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci-cd.yml
similarity index 91%
rename from .github/workflows/ci.yml
rename to .github/workflows/ci-cd.yml
index 27a2e63215e..b502e51d6b2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci-cd.yml
@@ -347,9 +347,17 @@ jobs:
 
   deploy:
     name: Deploy
-    environment: release
     needs: [build-tarball, build-wheels]
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for trusted publishing & sigstore
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/aiohttp
+
     steps:
     - name: Checkout
       uses: actions/checkout@v2.4.0
@@ -376,7 +384,27 @@ jobs:
         name: aiohttp
         version_file: aiohttp/__init__.py
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        pypi_token: ${{ secrets.PYPI_API_TOKEN }}
         dist_dir: dist
         fix_issue_regex: "`#(\\d+) <https://github.com/aio-libs/aiohttp/issues/\\1>`_"
         fix_issue_repl: "(#\\1)"
+
+    - name: >-
+        Publish 🐍📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v1.2.3
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+
+    - name: Upload artifact signatures to GitHub Release
+      # Confusingly, this action also supports updating releases, not
+      # just creating them. This is what we want here, since we've manually
+      # created the release above.
+      uses: softprops/action-gh-release@v1
+      with:
+        # dist/ contains the built packages, which smoketest-artifacts/
+        # contains the signatures and certificates.
+        files: dist/**