Switch to Trusted Publishers with a GitHub Environment

Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>

Author: ngoldbaum

.github/workflows/ci.yml

@@ -109,6 +109,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     needs: [lint, test, package-sdist, package-wheel]
+    environment: publish
+    permissions:
+      # Required by Trusted Publishing
+      id-token: write
     steps:
       - uses: actions/checkout@v5
       - uses: actions/download-artifact@v6
@@ -129,7 +133,4 @@ jobs:
           path: dist/
       - name: Publish to PyPI
         if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/')
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+        uses: pypa/gh-action-pypi-publish@release/v1