ci: migrate PyPI release to trusted publishing (OIDC)

[bhimrazy]

What does this PR do?

Migrates the PyPI release workflow from token-based authentication to OIDC trusted publishing, aligning with the pattern used in pytorch-lightning and torchmetrics.

• Splits into three jobs: build, upload-release-assets, and publish-pypi
• build uploads dist/ as a GitHub artifact shared across jobs
• upload-release-assets attaches the dist files to the GitHub Release page (runs on release event)
• publish-pypi uses OIDC (permissions: id-token: write) — no pypi_password secret needed
• All actions pinned to commit SHAs for supply-chain security

Pre-requisite before merging: configure a trusted publisher on the litdata PyPI project (Manage → Publishing) with owner Lightning-AI, repo litdata, workflow release-pypi.yml.

PR review

Anyone in the community is free to review the PR once the tests have passed.
If we didn't discuss your PR in GitHub issues there's a high chance it will not be merged.

Did you have fun?

Make sure you had fun coding 🙃

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81%. Comparing base (5213544) to head (cf89c4e).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@         Coverage Diff         @@
##           main   #827   +/-   ##
===================================
- Coverage    81%    81%   -0%     
===================================
  Files        54     54           
  Lines      7617   7617           
===================================
- Hits       6144   6143    -1     
- Misses     1473   1474    +1     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.