Adapt the GHA PyPI publishing workflow for trusted publishing (#409)

All the changes here are in line with those recently made to the PyMC workflow

Author: maresb

.github/workflows/pypi.yml

@@ -50,13 +50,16 @@ jobs:
     name: upload release to PyPI
     needs: [build]
     runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
+    if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published'
+    # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
+    # workflow by requiring signoff from a maintainer.
+    environment: release
+    permissions:
+      # write id-token is necessary for trusted publishing (OIDC)
+      id-token: write
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact
           path: dist
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}