Support publishing to PyPI using the trusted publisher mechanism (#1134)

Author: chrisrink10

.github/workflows/pypi-release.yml

@@ -8,7 +8,7 @@ concurrency:
   group: pypi-release
 
 jobs:
-  release:
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -19,7 +19,27 @@ jobs:
         run: curl -sSL https://install.python-poetry.org | python3 -
       - name: Validate Release Version
         run: poetry version -s | grep -E "$(echo "$GITHUB_REF_NAME" | tr -d 'v')"
-      - name: Publish to PyPI
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.POETRY_PYPI_TOKEN_PYPI }}
-        run: poetry publish --build
+      - name: Build Basilisp distributions
+        run: poetry build
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: dist/
+          if-no-files-found: error
+
+  release:
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    needs:
+      - build
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          merge-multiple: true
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1.12.2