Convert to trusted publishing

I based this change on the official PyPI documentation:
  https://docs.pypi.org/trusted-publishers/
as well as a blog post walking through an example of how to implement
trusted publishing for a Python project:
  https://pgjones.dev/blog/trusted-plublishing-2023/
The diff is fairly minimal. All it does is remove the password used to
authenticate to PyPI, which we don't need anymore, and add a permission
needed for trusted publishing to operate.

This commit will be accompanied by some configuration in the project
settings on PyPI to allow this specific workflow to act as a trusted
publisher. Effectively, we're telling PyPI that when this particular
workflow (`publish.yml`) contacts it with an OIDC token from Github,
then PyPI should accept that as valid authentication and return an API
token which can be used to actually upload a package.

.github/workflows/release.yml

@@ -31,6 +31,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     environment: test-pypi
+    permissions:
+      # this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/download-artifact@v3
       with:
@@ -39,14 +42,16 @@ jobs:
     - name: Publish packages to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: '${{ secrets.TEST_PYPI_API_TOKEN }}'
         repository_url: https://test.pypi.org/legacy/
         print_hash: true
   publish-to-pypi:
     name: Publish packages to PyPI
     runs-on: ubuntu-latest
     needs: [build]
     environment: pypi
+    permissions:
+      # this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/download-artifact@v3
       with:
@@ -55,5 +60,4 @@ jobs:
     - name: Publish packages to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: '${{ secrets.PYPI_API_TOKEN }}'
         print_hash: true