Use Trusted Publishers for publishing releases to PyPI

[matthewfeickert]

trafficstars

At the moment uproot still uses long lived API token based publishing to PyPI

https://github.com/scikit-hep/uproot5/blob/734700ef1f822338b03a7573df484909b317b2c2/.github/workflows/deploy.yml#L43-L45

It would be preferable from a security and long term security maintenance view (c.f. https://github.com/scientific-python/summit-2024/issues/9) to use Trusted Publishers for this.

Given that adding a trusted publisher to an existing PyPI project requires owner level control of the PyPI project, I can't make the necessary changes to enable this, but c.f. the following PRs as examples of what is needed after the fact:

• https://github.com/scikit-hep/pyhf/pull/2183
• https://github.com/scikit-hep/awkward/pull/2450