fix(publish): switch to OIDC trusted publisher (pypa/gh-action-pypi-publish), removes PYPI_API_TOKEN dependency

Author: Coding-Dev-Tools

.github/workflows/publish.yml

@@ -4,51 +4,32 @@ on:
   release:
     types: [published]
   workflow_dispatch:
-    inputs:
-      pypi_target:
-        description: 'PyPI target (pypi or testpypi)'
-        default: 'testpypi'
-        type: choice
-        options:
-          - pypi
-          - testpypi
 
 jobs:
-  build-and-publish:
+  publish:
     runs-on: ubuntu-latest
+    environment: pypi
     permissions:
-      contents: read
       id-token: write
 
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up Python 3.11
+      - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
-      - name: Install build deps
+      - name: Install dependencies
         run: |
+          python -m pip install --upgrade pip
           pip install build twine
 
       - name: Build package
-        run: |
-          python -m build
-
-      - name: Publish to PyPI
-        if: ${{ inputs.pypi_target != 'testpypi' || github.event_name == 'release' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: |
-          twine upload dist/* --verbose
+        run: python -m build
 
-      - name: Publish to TestPyPI
-        if: ${{ inputs.pypi_target == 'testpypi' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        run: |
-          twine upload --repository testpypi dist/* --verbose
+      - name: Check package
+        run: twine check dist/*
 
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1