Setup trusted publishing

[davidorme]

It is going to be much easier to manage publication of the pyrealm as part of the GH actions workflow using trusted publishing, rather than relying on authentication using PyPI tokens. For a start, those tokens need to be stored securely but also shared amongst team members who want to make a release.

@dalonsoa pointed to a similar approach here:

https://github.com/ImperialCollegeLondon/virtual_ecosystem/pull/401#pullrequestreview-1913398522 https://github.com/EnergySystemsModellingLab/MUSE_OS/blob/develop/.github/workflows/publish.yml

We've implemented something similar here, which we can basically clone.

https://github.com/ImperialCollegeLondon/virtual_ecosystem/issues/405 https://github.com/ImperialCollegeLondon/virtual_ecosystem/pull/408

Describe the solution you'd like

Set up a GH workflow to publish when a release is made. I think the sequence is basically:

• Create a new release branch from develop
• Review and merge that branch into main
• Tag the new release with the version number
• Create a new release from that tag.
• That release creation sparks the workflow which re-runs the standard testing, builds the package and uses trusted publishing to push it to TestPyPI.
• That can then also publish to PyPI

So:

• [x] Add the GitHub workflow from the virtual_ecosystem example and modify for pyrealm
• [x] Adopt the release process documentation from that PR too.
• [x] Turn on trusted publishing from GitHub on PyPI and TestPyPI (@davidorme to do)
• [ ] Probably run a 1.0.0a1 release to check it all works.