feat(ci): switch to uv publish for PyPI uploads

[woodruffw]

This switches pypi-publish.yml from gh-action-pypi-publish to uv publish. The upload itself is still through Trusted Publishing, and attestations are preserved through astral-sh/attest-action (which can be removed in the medium-term, once uv publish itself supports attestation generation).

Noting a few things from conversation with @reaperhulk:

• This runs uv publish directly, since the uv binary is configured on the $PATH implicitly via astral-sh/attest-action. This is arguably undesirable, since cryptography otherwise pins uv via a requirements file.
• Separately, this currently runs the latest uv release at all times, since astral-sh/attest-action doesn't attempt to pin it (besides a lower bound for compatibility). This is "ok" from Astral's own trust domain, but it might not be what you want in your release pathway for stability/reproducibility purposes.

TL;DR: This all works, but the current approach may not be what you want in terms of version pinning.