ci: use a trusted publisher token for publishing to PyPI

[tonyandrewmeyer]

Remove the use of the PyPI secret in the publish workflow, in favour of using the short-lived OIDC token via the Trusted Publisher system.

PyPI's normal API tokens are long-lived, meaning that an attacker who compromises a package's release token can use it until its legitimate user notices and manually revokes it. Similarly, uploading with a password means that an attacker can upload to any project associated with the account. Trusted publishing avoids both of these problems: the tokens minted expire automatically, and are scoped down to only the packages that they're authorised to upload to.

Also add a (manually triggered) workflow to publish to test.pypi.org to be able to validate that publishing changes (like this one) work as expected, without needing to actually publish.

Fixes #1021

[benhoyt]

Looks good. Let's just tweak a couple of names. However, let's wait to merge this till you hear back from test.pypi.org support and have ownership of ops.

[tonyandrewmeyer]

However, let's wait to merge this till you hear back from test.pypi.org support and have ownership of ops.

👍. This is the support ticket, for reference.

[tonyandrewmeyer]

Looks good. Let's just tweak a couple of names. However, let's wait to merge this till you hear back from test.pypi.org support and have ownership of ops.

It looks like the backlog for these requests goes back roughly one year 😞. Some get handled "out of queue" - I did find one that's exactly the same situation and it was one of the "out of queue" ones, so I've adjusted the issue summary to make it clearer that it's only test.pypi.org, but that doesn't seem like it always gets quicker action.

So I think for at least this PR, we should just go ahead with it and can address any issues if they happen.

[benhoyt]

So I think for at least this PR, we should just go ahead with it and can address any issues if they happen.

Yep, sounds right to me, thanks!