Audit all Jupyter PyPI package tokens

[manics]

Followup from jupyterhub/team-compass#763 (comment)

Audit all PyPI packages under Jupyter to see:

• which ones are using a trusted publisher https://docs.pypi.org/trusted-publishers/using-a-publisher/
• which ones are using tokens, and when the token was last updated
• which ones are using trusted publisher but still have old tokens that should be deleted

[Carreau]

I'm going to add to this issue – as I think it's bit more convenient to see everything that should be done on each package in a single place, potentially as a list of subtasks:

• check that every default branch on every repo is "main" (for consistency, it avoids mistakes)
• check that there are branch protection rules.

[Carreau]

Also maybe some of the check could be implemented in https://github.com/scientific-python/repo-review ?