Utilize PyPI's trusted publishing (#1107)

PyPI and Test PyPI recently introduced trusted publshing for
repositories using GitHub Actions to publish.

Changes having already been made on the PyPI and Test PyPI sites
to trust our GitHub actions.

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

Signed-off-by: Eric Brown <[email protected]>

Author: ericwb

.github/workflows/publish-to-pypi.yml

@@ -6,6 +6,9 @@ jobs:
   build-n-publish:
     name: Build and publish to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:
@@ -25,5 +28,3 @@ jobs:
     - name: Publish distribution to PyPI
       if: startsWith(github.ref, 'refs/tags')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.PYPI_PASSWORD }}

.github/workflows/publish-to-test-pypi.yml

@@ -6,6 +6,9 @@ jobs:
   build-n-publish:
     name: Build and publish to Test PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:
@@ -25,5 +28,4 @@ jobs:
     - name: Publish distribution to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.TEST_PYPI_PASSWORD }}
-        repository_url: https://test.pypi.org/legacy/
+        repository-url: https://test.pypi.org/legacy/