pypi: Use trusted publishing (OIDC) (Gallopsled#2194)

Recently introduced [auth mechanism][1] makes it possible to not keep
any long-lived tokens in GH secrets, reducing attack surface.

[1]: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

Cherry-picked from 74c3703

Author: Arusekk

.github/workflows/ci.yml

@@ -198,6 +198,8 @@ jobs:
   pypi:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
+    permissions:
+      id-token: write
     needs: test
     steps:
     - name: Download artifacts
@@ -207,10 +209,7 @@ jobs:
         path: dist
 
     - name: Publish package
-      uses: pypa/[email protected]
-      with:
-        user: __token__
-        password: ${{ secrets.pypi_password }}
+      uses: pypa/gh-action-pypi-publish@release/v1
 
     - if: failure()
       run: ls -R