From c97a9298a8d7791fb6e81858b8ed34a1d49da4b4 Mon Sep 17 00:00:00 2001
From: Wei Ji <23487320+weiji14@users.noreply.github.com>
Date: Sat, 23 May 2026 22:05:48 +1200
Subject: [PATCH 1/2] Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/v1.13.0...v1.14.0)
---
 .github/workflows/pypi-release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pypi-release.yaml b/.github/workflows/pypi-release.yaml
index ecd4fb4..e4bd45b 100644
--- a/.github/workflows/pypi-release.yaml
+++ b/.github/workflows/pypi-release.yaml
@@ -73,7 +73,7 @@ jobs:
           path: dist
 
       - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           user: __token__
           password: ${{ secrets.PYPI_TOKEN }}

From d135615ab8de2427853e5e05cb5e5a88532c4b9d Mon Sep 17 00:00:00 2001
From: Wei Ji <23487320+weiji14@users.noreply.github.com>
Date: Sat, 23 May 2026 22:12:31 +1200
Subject: [PATCH 2/2] Use trusted-publishing instead of long-lived token

Run job under an environment called 'pypi', set permissions: id-token: write, and don't use PYPI_TOKEN upload. Xref https://github.com/pypa/gh-action-pypi-publish/tree/v1.14.0?tab=readme-ov-file#trusted-publishing.
---
 .github/workflows/pypi-release.yaml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pypi-release.yaml b/.github/workflows/pypi-release.yaml
index e4bd45b..89e7e4c 100644
--- a/.github/workflows/pypi-release.yaml
+++ b/.github/workflows/pypi-release.yaml
@@ -62,10 +62,17 @@ jobs:
           name: releases
           path: dist
 
-  upload-to-pypi:
+  pypi-publish:
+    name: Publish Python 🐍 distribution 📦 to PyPI
     needs: build-artifacts
-    if: github.event_name == 'release'
+    if: github.repository == 'xarray-contrib/cupy-xarray' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/cupy-xarray/
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
+
     steps:
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
@@ -75,6 +82,5 @@ jobs:
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+          print-hash: true
           verbose: true