[FR] Promote secretless publishing to PyPI

[webknjaz]

It is no longer needed to make long-living API tokens and store them as secrets. Now that PyPI supports trusted publishing through OIDC, it's best to stop prompting people to make permanent tokens, as the short-lived ones are more secure. And user: __token__ was never necessary, since it has always been the default.

The action supports this since the private beta: https://github.com/marketplace/actions/pypi-publish#trusted-publishing. But the currently hardcoded version in the workflow is too old. This is why I tend to put @release/v1 in the docs and reusable places, so it always has all the latest features without me having to constantly update that version. The end-users, though, can decide on their own if they want to pin tags or commit shas.

Action items

1. Drop user and password inputs from https://github.com/cjolowicz/cookiecutter-hypermodern-python/blob/9343fc8/%7B%7Bcookiecutter.project_name%7D%7D/.github/workflows/release.yml#L58-L71.
2. Replace v1.6.4 with release/v1.
3. Replace repository_url with repository-url while on it.
4. Set id-token permission to write as documented @ https://github.com/marketplace/actions/pypi-publish#trusted-publishing.
5. Add a link to https://docs.pypi.org/trusted-publishers/ somewhere.

[bosd]

Is there a fork or pr which includes this?