Update publish workflow to use OIDC for PyPI publishing (#241)

Author: dermatologist

.github/workflows/publish.yml

@@ -9,6 +9,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    # IMPORTANT: This permission is mandatory for trusted publishing
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v6
 
@@ -21,6 +24,4 @@ jobs:
     - name: Publish distribution 📦 to PyPI
       if: startsWith(github.ref, 'refs/tags')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      # Omit 'user' and 'password' inputs; OIDC is used automatically