Updates GitHub Actions to rely on Trusted Publisher instead of using API Tokens for PyPI

Author: Prabhakar Kumar

.github/actions/build_and_publish_pypi/action.yml

@@ -1,11 +1,7 @@
-# Copyright 2020-2023 The MathWorks, Inc.
+# Copyright 2020-2024 The MathWorks, Inc.
 
 # Composite Action to Build and Publish in PyPi
 name: Build and Publish in PyPi
-inputs:
-  pypi_token:
-    description: 'PyPi API Token'
-    required: true
 runs:
   using: "composite"
   steps:
@@ -26,8 +22,3 @@ runs:
 
     - name: Publish to PyPI.
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        verbose: true
-        password: ${{ inputs.pypi_token }}
-        repository_url: https://upload.pypi.org/legacy/

.github/workflows/release-to-pypi.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2023 The MathWorks, Inc
+# Copyright 2020-2024 The MathWorks, Inc
 
 # Workflow to test MATLAB-Proxy while releasing to PyPi
 name: Release to PyPI
@@ -30,6 +30,12 @@ jobs:
     if: success()
     # windows container is not required here
     runs-on: ubuntu-latest
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    environment: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -38,5 +44,3 @@ jobs:
 
       - name: Build and Publish in PyPi
         uses: ./.github/actions/build_and_publish_pypi
-        with:
-          pypi_token: ${{ secrets.PYPI_TOKEN }}

.gitignore

@@ -10,4 +10,6 @@ htmlcov/
 *.key
 *.pem
 .python-version
-coverage.xml
+coverage.xml
+.ipynb_checkpoints/
+*.ipynb