pypi: use trusted publishing for binary wheels

Author: bjlittle

.github/workflows/ci-wheels.yml

@@ -129,6 +129,10 @@ jobs:
     needs: test-wheel
     name: "publish to test.pypi"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: test-pypi
+
     # upload to Test PyPI for every commit on main branch
     # and check for the SciTools repo
     if: github.event_name == 'push' && github.event.ref == 'refs/heads/main' && github.repository_owner == 'SciTools'
@@ -138,18 +142,20 @@ jobs:
         name: pypi-artifacts
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
-        print_hash: true
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
+        print-hash: true
 
   publish-artifacts-pypi:
     needs: test-wheel
     name: "publish to pypi"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
+    environment: pypi
+
     # upload to PyPI for every tag starting with 'v'
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && github.repository_owner == 'SciTools'
     steps:
@@ -158,8 +164,6 @@ jobs:
         name: pypi-artifacts
         path: ${{ github.workspace }}/dist
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
-        print_hash: true
+        print-hash: true