Publish to TestPyPI and PyPI via OpenID Connect token (#2453)

Using a short-lived API token generated by OpenID Connect (OIDC) instead of a long-lived secret to publish packages to TestPyPI and PyPI. Refer to https://github.com/pypa/gh-action-pypi-publish/tree/v1.8.3#ipublishing-with-openid-connect

* Add note that workflow must be named publish-to-pypi
* Add note about OIDC publishing to doc/maintenance.md

Mention that authentication to TestPyPI/PyPI happens via OpenID Connect.

---------

Co-authored-by: Dongdong Tian <[email protected]>

Author: weiji14

.github/workflows/publish-to-pypi.yml

@@ -1,4 +1,6 @@
 # Publish archives to PyPI and TestPyPI using GitHub Actions
+# Important: this workflow filename must be publish-to-pypi.yml to match the
+# settings in PyPI and TestPyPI so that OIDC publishing works
 
 name: Publish to PyPI
 
@@ -19,6 +21,9 @@ jobs:
   publish-pypi:
     name: Publish to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # This permission is mandatory for OIDC publishing
+      id-token: write
     if: github.repository == 'GenericMappingTools/pygmt'
 
     steps:
@@ -53,13 +58,10 @@ jobs:
         ls -lh dist/
 
     - name: Publish to Test PyPI
-      uses: pypa/[email protected].1
+      uses: pypa/[email protected].3
       with:
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
         repository-url: https://test.pypi.org/legacy/
 
     - name: Publish to PyPI
       if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/[email protected]
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      uses: pypa/[email protected]

doc/maintenance.md

@@ -118,11 +118,13 @@ There are 11 configuration files located in `.github/workflows`:
    If new remote files are needed urgently, maintainers can manually uncomment
    the 'pull_request:' line in that `cache_data.yaml` file to refresh the cache.
 
-6. `publish-to-pypi.yml` (Publish wheels to PyPI and TestPyPI)
+6. `publish-to-pypi.yml` (Publish wheels to TestPyPI and PyPI)
 
-   This workflow is run to publish wheels to PyPI and TestPyPI (for testing only).
-   Archives will be pushed to TestPyPI on every commit to the *main* branch
-   and tagged releases, and to PyPI for tagged releases only.
+   This workflow is ran to publish wheels to TestPyPI (for testing only) and
+   PyPI. Archives will be pushed to TestPyPI on every commit to the *main*
+   branch and tagged releases, and to PyPI for tagged releases only. Note that
+   authentication to TestPyPI/PyPI is done via OpenID Connect, see also
+   https://github.com/pypa/gh-action-pypi-publish/tree/release/v1#publishing-with-openid-connect
 
 7. `release-drafter.yml` (Drafts the next release notes)