[maintenance hint] Use `pypi-publish` action with secretless publishing from GHA

[webknjaz]

I was skimming through the recent changes as I was trying to figure out a new regression and noticed something that should probably be fixed — the GHA workflow calls Twine directly and uses a long-living API token or even a user-wide password (which is worse, security-wise).

There's a more secure and easier way of doing this now which my action (yes, it's a shameless plug!) has supported since the early spring, way before it's gone GA: https://github.com/marketplace/actions/pypi-publish#trusted-publishing.

My PyPUG guide is also updated with a full usage example of secretless publishing: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

I suggest you upgrade the automation to be more in line with the modern practices :)