Review trusted publishing #139
Description
I have set up trusted publishing on GitHub side's, but not on pypi's side yet. I'd like your input @niklasf and @benediktwerner before enabling it to make sure there's not a big security oversight.
The main logic for publishing and all is located at https://github.com/lichess-org/berserk/blob/master/release.py, I chose that way because it's easier to fallback to local publishing in case something go south with GitHub rather than having everything written as GitHub action.
It's used by the GA https://github.com/lichess-org/berserk/blob/master/.github/workflows/release.yml to build and publish it to pypi.
Note that this action has git write access to bump the version with proper commit name, tag, and re-enter as dev version afterwards, see https://github.com/lichess-org/berserk/commits/testpypi/
To secure the action, two environments have been created, pypi and testpypi, the former only usable on trusted branch master, and the latter also on testpypi branch for testing.
pypi env need confirmation from a lichess-org/deployer member.
it works on testpypi https://test.pypi.org/project/berserk/#description