yet still another attempt

.github/workflows/publish_package.yml

@@ -12,6 +12,7 @@ jobs:
     # needs: test_package
     permissions:
       id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
 
@@ -31,29 +32,9 @@ jobs:
 
       - name: Mint token
         id: mint-token
-        run: |
-          # retrieve the ambient OIDC token
-          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
-          oidc_token=$(jq '.value' <<< "${resp}")
-          echo "oidc_token: " $oidc_token
-
-          # exchange the OIDC token for an API token
-          resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
-          api_token=$(jq '.token' <<< "${resp}")
-          echo "api_token: " $api_token
-
-          # mask the newly minted API token, so that we don't accidentally leak it
-          # echo "::add-mask::${api_token}"
-
-          # see the next step in the workflow for an example of using this step output
-          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
+        uses: tschm/[email protected]
 
       - name: Publish package
-        env:
-          # PYPI_USER: __token__
-          PYPI_PASSWORD: ${{ steps.mint-token.outputs.api-token }}
         run: |
-          echo $PYPI_PASSWORD
-          poetry config pypi-token.pypi $PYPI_PASSWORD
-          poetry publish
+          echo "api_token: " '${{ steps.mint-token.outputs.api-token }}'
+          poetry publish -u __token__ -p '${{ steps.mint-token.outputs.api-token }}