Switch to trusted publishing (#83)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: flying-sheep

.github/workflows/publish.yml

@@ -1,38 +1,21 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
-
-name: Upload Python Package
+name: Publish Python Package
 
 on:
   release:
     types: [published]
 
-permissions:
-  contents: read
-
-env:
-  PIP_ROOT_USER_ACTION: ignore
-
 jobs:
-  deploy:
+  publish:
     runs-on: ubuntu-latest
-
+    environment: publish
+    permissions:
+      id-token: write # to authenticate as Trusted Publisher to pypi.org
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - uses: actions/setup-python@v4
         with:
           python-version: "3.x"
           cache: "pip"
-          cache-dependency-path: pyproject.toml
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip wheel
-          pip install build
-      - name: Build package
-        run: python -m build
-      - name: Publish package
-        uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+      - run: pip install build
+      - run: python -m build
+      - uses: pypa/gh-action-pypi-publish@release/v1