Use PyPI Trusted publishing

[jku]

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

We already do releases from GitHub CD workflow but this new PyPI feature allows us to remove the long lived secret from GitHub environment secrets: instead the GH action uses a short lived secret it receives from pypi.org using the OIDC identity of our workflow and release environment.

TODO:

• add the release workflow as a trusted publisher in pypi.org
• Add id-token: write permission to the publish task in the workflow (release: Use PyPI Trusted Publishing #2371)
• Remove the secret use from the workflow (release: Use PyPI Trusted Publishing #2371)
• Remove the secret from the environment
• Remove the secret in PyPI (this is likely in my pypi account)

[jku]

• release worked (or rather, the issues noticed were unrelated to this change)
• I've removed the token authorization from my pypi account
• The token has also been deleted from the GH environment secrets