pypi: trusted publishing & attestations

Author: letmaik

.github/workflows/ci.yml

@@ -247,6 +247,13 @@ jobs:
 
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
 
+    environment:
+      name: pypi
+      url: https://pypi.org/p/lensfunpy
+
+    permissions:
+      id-token: write
+
     steps:
     - name: Download wheels from artifact storage
       uses: actions/download-artifact@v4
@@ -258,12 +265,8 @@ jobs:
     - name: Setup Python
       uses: actions/setup-python@v4
 
-    - name: Upload wheels to PyPI
-      run: |
-        pip install twine
-        # https://github.com/pypa/twine/issues/1216
-        pip install -U packaging
-        twine upload -u __token__ -p ${{ secrets.PYPI_TOKEN }} --skip-existing dist/*
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
 
   publish-docs:
     runs-on: ubuntu-latest