Release trustme with PyPI Trusted Publishing (#612)

.github/workflows/release.yml

@@ -0,0 +1,57 @@
+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build dists
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
+      - name: Setup python
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0  # v4.6.1
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: python -m pip install build
+      - name: Build dists
+        run: python -m build
+      - name: Upload dists
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce  # v3.1.2
+        with:
+          name: "dist"
+          path: "dist/"
+          if-no-files-found: error
+          retention-days: 5
+
+  pypi-publish:
+    name: Upload release to PyPI
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build]
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write  # Needed to upload dists to GitHub release
+      id-token: write  # Needed for trusted publishing to PyPI
+
+    steps:
+      - name: Download dists
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a  # v3.0.2
+        with:
+          name: "dist"
+          path: "dist/"
+      - name: Upload dists to GitHub Release
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        run: gh release upload ${{ github.ref_name }} dist/* --repo ${{ github.repository }}
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # v1.8.7