Update publish workflow to use PyPI trusted publishing (#119)

Replace twine-based PyPI publishing with OIDC-based trusted publishing
using the pypa/gh-action-pypi-publish GitHub Action.

Changes:
- Add permissions block with id-token: write for OIDC
- Add environment block referencing the 'publish' environment
- Remove twine installation step
- Replace twine upload with gh-action-pypi-publish action

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: kesmit13

.github/workflows/publish.yml

@@ -156,12 +156,16 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    steps:
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install twine==6.0.1
+    permissions:
+      id-token: write   # Required for OIDC trusted publishing
+      actions: read     # Required for actions/download-artifact
+      contents: read    # Required for repository access
 
+    environment:
+      name: publish
+      url: https://pypi.org/p/singlestoredb
+
+    steps:
       - name: Download Linux wheels and sdist
         uses: actions/download-artifact@v4
         with:
@@ -180,14 +184,9 @@ jobs:
           name: artifacts-macOS
           path: dist
 
-      - name: Publish PyPI package
+      - name: Publish to PyPI
         if: ${{ github.event_name == 'release' || github.event.inputs.publish_pypi == 'true' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: "${{ secrets.PYPI_TOKEN }}"
-        run: |
-          ls ./dist/*
-          twine upload ./dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
 
 #     - name: Publish Conda package
 #       if: ${{ github.event_name == 'release' || github.event.inputs.publish_anaconda == 'true' }}