PyPI introduced Trusted Publishers last year (see the announcement and how trusted publishing works). This improves security, since you no longer rely on having long-lived API tokens to use with twine.

We recently added a PyPI deployment job to the release workflow in #606. That PR uploads to PyPI using twine (because I didn't know about the trusted publisher option then).

To switch to trusted publishing for micro-sam, we'd need to do two things:

1. Add a trusted publisher to our existing PyPI project (or you can create a new PyPI project with a trusted publisher).
2. Merge a PR updating .github/workflows/release_drafter.yml. The deploy job needs to be given id-token: write permissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).
3. Delete the old PyPI API tokens, from both PyPI and the GitHub repository secrets settings.

Xref: napari/napari-animation#211