Adopt PyPI's trusted publishing, won't need PYPI_API_TOKEN in publish-to-pypi.yml.

[pnacht]

Is your feature request related to a problem? Please describe. The publish-to-pypi.yml workflow currently publishes a new version of the repository by using the recommended pypa/gh-action-pypi-publish with a secret PyPI token.

This is a long-lived token. Should this token be somehow compromised, it can be used to publish a malicious version of the package, harming KerasNLP's users.

Describe the solution you'd like Eliminate the need for a PyPI token by relying on PyPI's recently-announced trusted publishers mechanism.

This mechanism uses OIDC to create a short-lived token on-the-fly when the workflow runs.

This will require you to log into PyPI and set publish-to-pypi.yml as the workflow that's trusted to publish new versions of this package.

The workflow will look something like this:

name: Publish to PyPI

on: push

permissions:
  contents: read

jobs:
  build-and-publish:
    name: Build and publish to PyPI
    runs-on: ubuntu-latest

    permissions:      # NEW
     id-token: write  # NEW

    steps:
    - uses: actions/checkout@master
    - name: Install dependencies
      run: |
          pip install -r requirements.txt --progress-bar off
    - name: Build a binary wheel and a source tarball
      run: >-
        python pip_build.py
    - name: Publish distribution to PyPI
      if: startsWith(github.ref, 'refs/tags')
      uses: pypa/gh-action-pypi-publish@master

[mattdangerw]

@sampathweb as you are going to look at nightly publishing do you want to take a look at this too?

No strong feelings on what we do here.

[mattdangerw]

Talked with @sampathweb sounds like we will wait till we are ready to do this across all keras projects. So we use a similar publishing setup across the team. Will leave this open until we pull that work.