chore(deps): bump pypa/gh-action-pypi-publish from 1.8.5 to release/v1 (#308)

Bumps
[pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish)
from 1.8.5 to 1.8.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/gh-action-pypi-publish/releases">pypa/gh-action-pypi-publish's
releases</a>.</em></p>
<blockquote>
<h2>v1.8.6</h2>
<h2>What's Updated</h2>
<ul>
<li><a
href="https://github.com/sponsors/woodruffw"><code>@​woodruffw</code></a>
dropped the references to a “private beta” from the project docs and
runtime in <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/pull/147">pypa/gh-action-pypi-publish#147</a>.
He also clarified that the API tokens are still more secure than
passwords in <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/pull/150">pypa/gh-action-pypi-publish#150</a>.</li>
<li><a
href="https://github.com/sponsors/asherf"><code>@​asherf</code></a>
noticed that the action metadata incorrectly marked the
<code>password</code> field as required and contributed a correction in
<a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/pull/151">pypa/gh-action-pypi-publish#151</a></li>
<li><a
href="https://github.com/sponsors/webknjaz"><code>@​webknjaz</code></a>
moved the Trusted Publishing example to the top of the README in hopes
that new users would default to using it via <a
href="https://github.com/pypa/gh-action-pypi-publish/commit/f47b34707fd264d5ddb1ef322ca74cf8e4cf351b">https://github.com/pypa/gh-action-pypi-publish/commit/f47b34707fd264d5ddb1ef322ca74cf8e4cf351b</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/sponsors/asherf"><code>@​asherf</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/pull/151">pypa/gh-action-pypi-publish#151</a></li>
</ul>
<p><strong>Full Diff</strong>: <a
href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6">https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/a56da0b891b3dc519c7ee3284aff1fad93cc8598"><code>a56da0b</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/151">#151</a>
from asherf/trusted</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/e4b903174144ed1ae155796f72e117b95cf30c3f"><code>e4b9031</code></a>
password input is no longer required, since not specifying it implies
trusted...</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/5a085bf49e449ba94cc551efdc03b14b2be3788c"><code>5a085bf</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/150">#150</a>
from trail-of-forks/tob-doc-tweaks</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/0811f991bd3b72bc79a131736a1966d9df922f60"><code>0811f99</code></a>
README: small doc tweaks</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/f47b34707fd264d5ddb1ef322ca74cf8e4cf351b"><code>f47b347</code></a>
📝🎨 Put OIDC on pedestal @ README</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/7a1a355fb5ad6afb4e8f748ad036708c1c61c396"><code>7a1a355</code></a>
🎨 Show GH environments use in README examples</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/3b6670b0bd04d54039641fb3b2ac878aad9d70fc"><code>3b6670b</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/147">#147</a>
from trail-of-forks/tob-stabilize-oidc</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/c008c2f40abc7b85467b393f3b78e67391ffa7f8"><code>c008c2f</code></a>
README: re-add OIDC note</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/fe431ff9ad22d027a59d866e45c4e40d93d8ce57"><code>fe431ff</code></a>
README, oidc-exchange: remove beta references</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/c542b72dc68d2280248f2d864ba901e0c31a3ee7"><code>c542b72</code></a>
Bump WPS flake8 plugin set to v0.17.0</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pypa/gh-action-pypi-publish&package-manager=github_actions&previous-version=1.8.5&new-version=1.8.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Henry Schreiner <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/cd.yml

@@ -10,11 +10,8 @@ env:
   FORCE_COLOR: 3
 
 jobs:
-  deploy:
-    runs-on: ubuntu-22.04
-    environment: pypi
-    permissions:
-      id-token: write
+  dist:
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
         with:
@@ -27,5 +24,18 @@ jobs:
         with:
           path: dist/*
 
-      - uses: pypa/[email protected]
-        if: github.event_name == 'release' && github.event.action == 'published'
+  deploy:
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    needs: [dist]
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: dist
+
+      - uses: pypa/gh-action-pypi-publish@release/v1