Use a trusted (GitHub action) publisher when publishing to PyPi

[flaeppe]

PyPi quite recently introduced "Trusted publishing" (PyPi's term for OpenID Connect - OIDC standard), which can be used to add a GitHub Actions workflow as trusted publisher in PyPi. That allows for better automation of publishing releases to PyPi that also removes any need for API tokens as GitHub secrets.

Trusted publishing should also integrate into GitHub's environments which can be used for deployments and GitHub allows creating protection rules for deployments. As such it could be possible to e.g. require approvals and/or certain reviewers before deploying to PyPi.

Using trusted publishing should probably reduce the current workload of creating releases while also make it simpler to manage who can do it.

A couple of links with more information:

• https://docs.pypi.org/trusted-publishers/
• https://docs.pypi.org/trusted-publishers/adding-a-publisher/
• https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
• https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment

I could've misinterpreted or got some stuff wrong here, feel free to correct me. I've also set up automatic PyPi releasing for a couple of packages using trusted publishing.

Here's a current .github/workflows/release.yml from https://pypi.org/project/virtualenv/ that could be used as reference:

https://github.com/pypa/virtualenv/blob/fa283474fd199e3836f8b2c99510190c6b77e2bc/.github/workflows/release.yml