publish.yml: use trusted publishing instead of API token

[kandersolar]

• Closes Switch to PyPI "trusted publishing" #2511
• I am familiar with the contributing guidelines
• Adds description and name entries in the appropriate "what's new" file in docs/sphinx/source/whatsnew for all changes. Includes link to the GitHub Issue with :issue:`num` or this Pull Request with :pull:`num`. Includes contributor name and/or GitHub username (link with :ghuser:`user`).
• Pull request is nearly complete and ready for detailed review.
• Maintainer: Appropriate GitHub Labels (including remote-data) and Milestone are assigned to the Pull Request and linked Issue.

This guide is helpful: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

I also separated the PyPI publishing portion to a separate job. This is so that the additional permissions required for Trusted Publishing are only accessible to the actual upload, not the build steps (which run often, on PRs). With separate steps, the dist files have to be stored as artifacts. I think that will also make them accessible for manual download as a job output if desired, which might be handy someday.

[kandersolar]

Seems like this should be fine, although I'd appreciate an extra pair of eyes on this if anyone has the time.

After merging, I'll get Trusted Publishing set up on the PyPI side and decommission the API token we've been using.

[AdamRJensen]

After merging, I'll get Trusted Publishing set up on the PyPI side and decommission the API token we've been using.

PR looks good to me. Might as well do the change now -- just make a pre-release subsequently as a test.

[wholmgren]

In reviewing this I stumbled across https://github.com/hynek/build-and-inspect-python-package which is less helpful for the publishing changes in this PR but may be worth considering all at once for the building/testing/report aspects.

[kandersolar]

Following up: it worked as expected when testing with v0.13.1a1 👍