Switch from token-based to OIDC trusted publishing

Replace token-based authentication with GitHub OIDC trusted publishing
for both PyPI and TestPyPI. This eliminates the need for stored API
tokens in the GitHub secrets and provides better security through
short-lived credentials.

(cherry picked from commit c4e3208)

Author: agoscinski

.github/workflows/release.yml

@@ -88,23 +88,23 @@ jobs:
 
     runs-on: ubuntu-24.04
 
+    environment: release
+    permissions:
+      id-token: write
+
     steps:
     - name: Checkout source
       uses: actions/checkout@v4
     - name: Set up Python 3.9
       uses: actions/setup-python@v5
       with:
         python-version: '3.9'
-    - name: install flit
-      run: |
-        pip install flit~=3.4
-    - name: Build and publish
-      run: |
-        flit publish
-      env:
-        FLIT_USERNAME: __token__
-        FLIT_PASSWORD: ${{ secrets.PYPI_KEY }}
-        FLIT_INDEX_URL: https://upload.pypi.org/legacy/
+    - name: Install flit
+      run: pip install flit~=3.4
+    - name: Build
+      run: flit build
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
 
 
   publish-testpypi:
@@ -116,20 +116,22 @@ jobs:
 
     runs-on: ubuntu-24.04
 
+    environment: release
+    permissions:
+      id-token: write
+
     steps:
     - name: Checkout source
       uses: actions/checkout@v4
     - name: Set up Python 3.9
       uses: actions/setup-python@v5
       with:
         python-version: '3.9'
-    - name: install flit
-      run: |
-        pip install flit~=3.4
-    - name: Build and publish
-      run: |
-        flit publish
-      env:
-        FLIT_USERNAME: __token__
-        FLIT_PASSWORD: ${{ secrets.TEST_PYPI_KEY }}
-        FLIT_INDEX_URL: https://test.pypi.org/legacy/
+    - name: Install flit
+      run: pip install flit~=3.4
+    - name: Build
+      run: flit build
+    - name: Publish to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/