Consider switching to a trusted publisher

[ArBridgeman]

Summary

• zizmor flagged this in ./.github/workflows/build-and-publish.yml with info[use-trusted-publishing]: prefer trusted publishing for authentication; the audit docs are here:
https://docs.zizmor.sh/audits/#use-trusted-publishing.

• The publish step should move from token-based poetry publish authentication to PyPI Trusted Publishing/OIDC instead; the PyPI docs are here: https://docs.pypi.org/trusted-publishers/.

Description

We should investigate the scope and implementation requirements for enabling trusted publishing via use-trusted-publishing, but not rush into rollout yet. In the meeting, we agreed to delay
this work for now while @torsten Kilias evaluates the effort involved.

Current constraints to account for:

• Trusted publishing cannot currently be used from within a reusable workflow.

• The recommended pattern is to use a non-reusable workflow that:

  • calls the existing reusable workflow in one job, and
  • performs the trusted publishing step in a separate job outside the reusable workflow.

• As an alternative, we could keep using username/token authentication inside the reusable workflow, but that would not move us to trusted publishing.

• Each project/repository must be registered individually, which means this affects 30+ repos.

• We should also need to set up an approval environment for each repo, which adds additional operational overhead.