Issue 12: Update release script to adopt Trusted publisher management in pypi.

.github/workflows/tagPublish.yml

@@ -24,6 +24,9 @@ jobs:
   wheel:
     name: python${{ matrix.python-version }}-${{ matrix.platform.python-architecture }} ${{ matrix.platform.os }}
     runs-on: ${{ matrix.platform.os }}
+    permissions:
+      id-token: write
+      contents: write
     strategy:
       matrix:
         python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
@@ -66,11 +69,29 @@ jobs:
       - name: build source
         id: build_source
         run: python -u .github/workflows/build_source.py
+      - name: mint API token
+        id: mint-token
+        shell: bash
+        # Reference link : https://docs.pypi.org/trusted-publishers/using-a-publisher/
+        run: |
+            # retrieve the ambient OIDC token
+            resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+                "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+            oidc_token=$(jq '.value' <<< "${resp}")
+            # exchange the OIDC token for an API token
+            resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": ${oidc_token}}")
+            api_token=$(jq -r '.token' <<< "${resp}")
+
+            # mask the newly minted API token, so that we don't accidentally leak it
+            echo "::add-mask::${api_token}"
+
+            # see the next step in the workflow for an example of using this step output
+            echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
       - name: Publish to pypi
         env:
           # the username and the repository needs to be changed before release.
-          TWINE_USERNAME: ${{ secrets.pypi_user_name }}
-          TWINE_PASSWORD: ${{ secrets.pypi_password }}
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }}
           TWINE_REPOSITORY: pypi
         run: |
           pip install -U twine