chore(ci): switch to trusted PyPI publishing

.github/workflows/main.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           python-version: 3.13
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
-  build:
+  test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -37,23 +37,28 @@ jobs:
         uses: fedora-python/tox-github-action@807f27871410c7391018dc9a245c8cffdced15e9 # v41.0
         with:
           tox_env: ${{ matrix.tox_env }}
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          cache: pip
-          cache-dependency-path: |
-            requirements-dev.txt
-            setup.py
-  deploy:
-    name: Build deploy
+  build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-      - uses: casperdcl/deploy-pypi@928e3123266d588b46c017228f9a9d4c13ad4c93 # v2.5.0
+      - run: python -m pip install --upgrade build
+      - run: python -m build
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: dist
+          path: dist/
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
         with:
-          password: ${{ secrets.PYPI_TOKEN }}
-          build: true
-          # only upload if a tag is pushed (otherwise just build & check)
-          upload: ${{ github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') }}
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0