Set up release workflow with PyPI Trusted Publishers

[natestemen]

Background

In April 2023 PyPI revealed a new publishing method using the OpenID Connect standard [GitHub docs]. This standard is described as

an interoperable authentication protocol based on the OAuth 2.0 framework of specifications (IETF RFC 6749 and 6750). It simplifies the way to verify the identity of users based on the authentication performed by an Authorization Server [...] Best of all, it removes the responsibility of setting, storing, and managing passwords which is frequently associated with credential-based data breaches.

More details can be found in the PyPI docs here, but because we set and store long-term passwords for use in our github actions, this is a welcome addition.

Fix

The changes required at laid out in the PyPI docs. One of the suggested changes (for increased security) is to create an environment in which the release originates. This allows for further restrictions and rules to be applied as to when the release happens. GitHub docs here.

We will also need to change code in two places to use the pypa/gh-action-pypi-publish action:

• .github/workflows/publish-pypi.yml
• .github/workflows/publish-testpypi.yml

This may potentially alter our release docs as well. If so, they should be updated accordingly.

[Misty-W]

No PR in milestone 0.34.0.