PyPI: switch to trusted publishing and generate attestations (#257)

Author: letmaik

.github/workflows/ci.yml

@@ -519,6 +519,13 @@ jobs:
 
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
 
+    environment:
+      name: pypi
+      url: https://pypi.org/p/rawpy
+    
+    permissions:
+      id-token: write
+
     steps:
     - name: Download wheels from artifact storage
       uses: actions/download-artifact@v4
@@ -530,10 +537,8 @@ jobs:
     - name: Setup Python
       uses: actions/setup-python@v5
 
-    - name: Upload wheels to PyPI
-      run: |
-        pip install twine
-        twine upload -u __token__ -p ${{ secrets.PYPI_TOKEN }} --skip-existing dist/*
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
 
   publish-docs:
     runs-on: ubuntu-latest