From 0abfef54603bc64178052f6403100a7cbbfa0baa Mon Sep 17 00:00:00 2001
From: Arnaud Py <arnaud.py@datadoghq.com>
Date: Fri, 31 Oct 2025 11:54:00 +0100
Subject: [PATCH 1/3] [SINT-4258] Use PyPI OIDC when releasing

---
 .github/workflows/publish.yml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ff2cc67cd7..a438d59c35 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -14,6 +14,9 @@ jobs:
   upload_release:
     name: Upload release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment: pypi_protected_environment
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -40,8 +43,12 @@ jobs:
           # Build a binary wheel and a source tarball
           python -m build --sdist --wheel --outdir dist/ .
 
-      - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+      # Publish wheels to PyPI using Trusted Publishers.
+      # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+      # This job needs to run from within the pypi-datadog-checks-base environment. PyPi
+      # validates the workflow file name, environment and repository the request is
+      # comming from to provide the valid JWT token.
+      - name: Release base package to PyPI
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+          skip-existing: true

From e25491fe89f1da9a9379c904e321cee6a8443048 Mon Sep 17 00:00:00 2001
From: Arnaud Py <arnaud.py@datadoghq.com>
Date: Fri, 31 Oct 2025 14:08:59 +0100
Subject: [PATCH 2/3] [SINT-4258] Fix env name

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a438d59c35..b399d0fdf6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    environment: pypi_protected_environment
+    environment: secure_publish_environment
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

From e36319f6705cfc481a47cf8e8394ece63398b610 Mon Sep 17 00:00:00 2001
From: Arnaud Py <arnaud.py@datadoghq.com>
Date: Fri, 31 Oct 2025 16:30:43 +0100
Subject: [PATCH 3/3] [SINT-4258] Retrigger CI