Update deployment to use trusted publishing

And modify release script accordingly

Author: GjjvdBurg

.github/workflows/deploy.yml

@@ -64,34 +64,94 @@ jobs:
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     # upload to PyPI on every tag starting with 'v'
-    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && contains(github.event.ref, '-rc.')
+  if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && contains(github.event.ref, '-rc.')
+
+  environment:
+    name: testpypi
+    url: https://tesxt.pypi.org/p/clevercsv
+
+    permissions:
+      id-token: write
+
     steps:
-      - uses: actions/download-artifact@v2
+      - name: Download all the dists
+        uses: actions/download-artifact@v3
         with:
-          name: artifact
-          path: dist
+          name: python-package-distributions
+          path: dist/
 
-      - uses: pypa/gh-action-pypi-publish@master
+      - name: Publish distributions to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
           verbose: true
 
   upload_pypi:
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     # upload to PyPI on tags starting with 'v' that don't contain '-rc.'
-    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && !contains(github.event.ref, '-rc.')
+  if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && !contains(github.event.ref, '-rc.')
+
+  environment:
+    name: pypi
+    url: https://pypi.org/p/clevercsv
+
+    permissions:
+      id-token: write
+
     steps:
-      - uses: actions/download-artifact@v2
+      - name: Download all the dists
+        uses: actions/download-artifact@v3
         with:
-          name: artifact
-          path: dist
+          name: python-package-distributions
+          path: dist/
 
-      - uses: pypa/gh-action-pypi-publish@master
+      - name: Publish distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
           verbose: true
 
+  github-release:
+    name: >-
+      Sign the Python 🐍 distribution 📦 with Sigstore
+      and upload the files to GitHub Release
+    needs:
+      - upload_pypi
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v3
+        with:
+          name: python-package-distributions
+        path: dist/
+
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --notes ""
+
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        # Upload to GitHub Release using the `gh` CLI.
+        # `dist/` contains the built packages, and the
+        # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'