ci: Use PyPI trusted publisher

This commit updates the CI release workflow to use the PyPI "trusted
publisher" package publishing mechanism.

Signed-off-by: Stephanos Ioannidis <[email protected]>

Author: stephanosio

.github/workflows/release.yml

@@ -4,19 +4,21 @@ on:
   release:
     types: [ published ]
 
-permissions:
-  contents: write
-
 jobs:
   ci:
     name: CI
     uses: ./.github/workflows/ci.yml
 
   release:
     name: Release
+    environment: release
     needs: [ ci ]
     runs-on: ubuntu-20.04
 
+    permissions:
+      contents: write
+      id-token: write
+
     steps:
     - name: Download build artifacts
       uses: actions/download-artifact@v4
@@ -37,5 +39,4 @@ jobs:
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
         packages-dir: assets/