Switch to PyPI trusted publishers (OIDC) for secure publishing

- Replace API token authentication with OpenID Connect
- Use pypa/gh-action-pypi-publish action
- Add id-token: write permission for OIDC
- More secure than storing API tokens in secrets

Author: VoxHash

.github/workflows/ci.yml

@@ -52,6 +52,9 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      id-token: write  # Required for OIDC authentication
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
@@ -64,14 +67,11 @@ jobs:
     - name: Install build tools
       run: |
         python -m pip install --upgrade pip
-        pip install build twine
+        pip install build
     
     - name: Build package
       run: python -m build
 
     - name: Publish to PyPI
-      run: twine upload dist/*
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+      uses: pypa/gh-action-pypi-publish@release/v1