Use PyPI trusted publishers for deploying (#354)

Also changes the deploy workflow.

Author: nicoddemus

.github/workflows/deploy.yml

@@ -1,14 +1,20 @@
 name: deploy
 
 on:
-  push:
-    tags:
-      - "v*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version'
+        required: true
+        default: '1.2.3'
 
 jobs:
 
   deploy:
     runs-on: ubuntu-latest
+    environment: deploy
+    permissions:
+      id-token: write # For PyPI trusted publishers.
 
     steps:
     - uses: actions/checkout@v3
@@ -24,9 +30,10 @@ jobs:
 
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@master
+
+    - uses: actions-ecosystem/action-push-tag@v1
       with:
-        user: __token__
-        password: ${{ secrets.pypi_token }}
+        tag: v${{ github.event.inputs.version }}
 
     - name: Set up Python
       uses: actions/[email protected]

RELEASING.rst

@@ -3,5 +3,5 @@ Here are the steps on how to make a new release.
 1. Create a ``release-VERSION`` branch from ``upstream/master``.
 2. Update ``CHANGELOG.rst``.
 3. Push a branch with the changes.
-4. Once all builds pass, push a tag to ``upstream``.
+4. Once all builds pass, run the ``deploy`` workflow manually.
 5. Merge the PR.