Trusted Publishing: start by migrating `pip-tools`

[webknjaz]

There's a release request that nobody really can handle, as there's no lead that is active right now: jazzband/pip-tools#2112.
I've been fixing up the CI to get it to a green state lately, and I remembered talking to @jezdez regarding migrating to Trusted Publishing to eliminate the need to proxy the releases through Jazzband's private index.

I've made a PR with a PoC that roughly keeps the process the same, short of using a private index: jazzband/pip-tools#2149. But in order to go ahead, we should figure out all the configuration bits that aren't available to me.

@jezdez could you take a look and see what's needed to move this forward and perhaps learn how to scale it to other projects.

P.S. This is not asking to make me lead. Let's hope somebody shows up for the release and focus on things that are actionable.

---

Lessons learned:

• In order to migrate other projects, the pip-tools bot on PyPI or Jannis has to get an Owner-level privilege on each project. Only owners can add trusted publishers on the PyPI side.
• When setting up GitHub environments in the repository settings, the self-review checkbox MUST NOT be selected as it would actively prevent leads from approving releases they triggered. This would make it unusable in projects with a single active lead.

[webknjaz]

@jezdez looking at your commit chart, it looks like you're on vacation. I'll try to remind you of this in some while.

[MRigal]

@jezdez maybe now? Using Trusted publishing in various projects could help us releasing new version for django-fsm-log. See #386

[webknjaz]

FTR, we've hit a configuration problem in #411 where the GitHub Environment does not allow self-reviews when it should.

[jezdez]

@webknjaz I've done some work on the org wide permissions, does this work again?

[webknjaz]

@webknjaz I've done some work on the org wide permissions, does this work again?

Now that self-reviews are in, it does.