Setup PyPI trusted publishing

Author: frankie567

.github/workflows/sdk_publish.yaml

@@ -12,9 +12,34 @@ permissions:
       - RELEASES.md
       - '*/RELEASES.md'
 jobs:
+  mint-token:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    outputs:
+      api-token: ${{ steps.mint-token.outputs.api-token }}
+    steps:
+      - name: Mint API token
+        run: |
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+          oidc_token=$(jq -r '.value' <<< "${resp}")
+
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          api_token=$(jq -r '.token' <<< "${resp}")
+
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
+
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
   publish:
+    needs: mint-token
     uses: speakeasy-api/sdk-generation-action/.github/workflows/sdk-publish.yaml@v15
     secrets:
       github_access_token: ${{ secrets.GITHUB_TOKEN }}
-      pypi_token: ${{ secrets.PYPI_TOKEN }}
+      pypi_token: ${{ needs.mint-token.outputs.api-token }}
       speakeasy_api_key: ${{ secrets.SPEAKEASY_API_KEY }}