From 597c0ab9854c29054aa92a10421755917f224ecf Mon Sep 17 00:00:00 2001
From: Marc Mueller <30130371+cdce8p@users.noreply.github.com>
Date: Tue, 25 Feb 2025 02:05:30 +0100
Subject: [PATCH] Configure trusted publishing for PyPI file upload (#137607)

---
 .github/workflows/builder.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 88f6f37d6d6..68581c58d24 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -448,6 +448,9 @@ jobs:
     environment: ${{ needs.init.outputs.channel }}
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
     steps:
       - name: Checkout the repository
@@ -473,16 +476,13 @@ jobs:
         run: |
           # Remove dist, build, and homeassistant.egg-info
           # when build locally for testing!
-          pip install twine build
+          pip install build
           python -m build
 
-      - name: Upload package
-        shell: bash
-        run: |
-          export TWINE_USERNAME="__token__"
-          export TWINE_PASSWORD="${{ secrets.TWINE_TOKEN }}"
-
-          twine upload dist/* --skip-existing
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.12.4
+        with:
+          skip-existing: true
 
   hassfest-image:
     name: Build and test hassfest image