Use PyPI Trusted Publishing

This is the recommended way and allows us to avoid needing a token, which could be leaked.

.github/workflows/deploy.yml

@@ -17,6 +17,8 @@ jobs:
 
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     needs: package
 
@@ -28,10 +30,7 @@ jobs:
         path: dist
 
     - name: Publish package to PyPI
-      uses: pypa/[email protected]
-      with:
-        user: __token__
-        password: ${{ secrets.pypi_token }}
+      uses: pypa/[email protected]
 
     - name: Publish GitHub Release
       uses: softprops/action-gh-release@v1