Use pypi OIDC

Author: fhightower

.github/workflows/python-publish.yml

@@ -1,5 +1,6 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# This workflow will upload a Python Package to PyPI when a release is created
+# Uses PyPI trusted publishing (OIDC) — no secrets required.
+# Configure at: https://pypi.org/manage/project/ioc-finder/settings/publishing/
 
 name: Upload Python Package to PyPi
 
@@ -13,6 +14,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write   # required for OIDC trusted publishing
+      contents: read
+
     steps:
     - uses: actions/checkout@v4
       with:
@@ -27,10 +32,7 @@ jobs:
         python-version: '3.x'
     - name: Set up uv
       uses: astral-sh/setup-uv@v6
-    - name: Build and publish
-      env:
-        UV_PUBLISH_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        UV_PUBLISH_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        uv build
-        uv publish
+    - name: Build
+      run: uv build
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1