ci: switch to PyPI trusted publishing (OIDC)

Author: omercnet

.github/workflows/python-publish.yaml

@@ -7,25 +7,27 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read # to detect changes files
+  id-token: write # Required for PyPI trusted publishing (OIDC)
 
 jobs:
   pypi:
-    name: Pypi
+    name: Publish to PyPI
     runs-on: ubuntu-latest
+    environment: pypi
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
       - name: Setup
         uses: descope/.github/.github/actions/python/poetry/setup@main
         with:
           python-version: "3.11"
-      - name: Autobump version
-        run: |
-          poetry version $(git describe --tags --abbrev=0)
+
+      - name: Set version from tag
+        run: poetry version $(git describe --tags --abbrev=0)
+
       - name: Build
         uses: descope/.github/.github/actions/python/poetry/build@main
-      - name: Publish
-        uses: descope/.github/.github/actions/python/poetry/publish@main
-        with:
-          token: ${{ secrets.PYPI_TOKEN }}
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1