Update release workflow to use PyPI Trusted Publisher with OIDC

Author: zxkane

.github/workflows/release.yml

@@ -9,6 +9,9 @@ on:
 jobs:
   build-and-publish:
     runs-on: ubuntu-latest
+    # Enable OIDC token permissions for Trusted Publisher
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -23,13 +26,11 @@ jobs:
         run: python -m pip install --upgrade pip
 
       - name: Install build tools
-        run: pip install build twine
+        run: pip install build
 
       - name: Build the package
         run: python -m build
 
-      - name: Publish package to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: twine upload dist/* --non-interactive --skip-existing
+      - name: Publish package distributions to PyPI using Trusted Publisher
+        # This action uses OIDC to authenticate without API tokens
+        uses: pypa/gh-action-pypi-publish@release/v1