configure trusted publishers

Author: OriolAbril

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"

.github/workflows/publish.yml

@@ -2,20 +2,23 @@ name: Publish library
 
 on:
   push:
-    branches:
-      - main
     tags:
       # Don't try to be smart about PEP 440 compliance,
       # see https://www.python.org/dev/peps/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
       - v*
 
 jobs:
   publish:
+    environment:
+      name: publish
+      url: https://pypi.org/p/labs-sphinx-theme
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
       - name: Install build dependencies
@@ -25,6 +28,3 @@ jobs:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}