From ed4859eee1f086652275b55c4d150d4e4c08124f Mon Sep 17 00:00:00 2001
From: Kevin Anderson <kevin.anderso@gmail.com>
Date: Mon, 22 Sep 2025 13:58:26 -0400
Subject: [PATCH 1/3] publish.yml: use trusted publishing instead of API token

---
 .github/workflows/publish.yml | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 633b21787c..4504396cb0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,7 +9,7 @@ on:
     - "v*"
 
 jobs:
-  build-n-publish:
+  build:
     name: Build and publish distributions to PyPI
     if: github.repository == 'pvlib/pvlib-python'
     runs-on: ubuntu-latest
@@ -49,10 +49,27 @@ jobs:
       run: du -h pvlib
       working-directory: ./tmp
 
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish:
     # only publish distribution to PyPI for tagged commits
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # for PyPI trusted publishing
+
+    steps:
+    - name: Download all dist files
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
     - name: Publish distribution to PyPI
-      if: startsWith(github.ref, 'refs/tags/v')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.pypi_password }}

From 07f3993b6bc71324d80d9f62e67b6cb433210005 Mon Sep 17 00:00:00 2001
From: Kevin Anderson <kevin.anderso@gmail.com>
Date: Mon, 22 Sep 2025 14:20:44 -0400
Subject: [PATCH 2/3] better job names

---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4504396cb0..8baa342d32 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,7 +10,7 @@ on:
 
 jobs:
   build:
-    name: Build and publish distributions to PyPI
+    name: Build wheel and sdist
     if: github.repository == 'pvlib/pvlib-python'
     runs-on: ubuntu-latest
     steps:
@@ -56,6 +56,7 @@ jobs:
         path: dist/
 
   publish:
+    name: Release dist files to PyPI
     # only publish distribution to PyPI for tagged commits
     if: startsWith(github.ref, 'refs/tags/v')
     needs:

From 54c4346859e5816e4b062ed3a02cccfbfa63bf39 Mon Sep 17 00:00:00 2001
From: Kevin Anderson <kevin.anderso@gmail.com>
Date: Mon, 22 Sep 2025 14:25:10 -0400
Subject: [PATCH 3/3] better name for overall workflow

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8baa342d32..12425b87b2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,4 +1,4 @@
-name: Publish distributions to PyPI
+name: Package build
 
 on:
   pull_request: