chore: Use OIDC for publishing (zarr-developers#3791)

* Use OIDC for publishing

* Update requires

* Attest

Author: maxrjones

.github/workflows/releases.yml

@@ -10,6 +10,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
   build_artifacts:
@@ -35,7 +39,7 @@ jobs:
           version: '1.16.5'
       - name: Build wheel and sdist
         run: hatch build
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: releases
           path: dist
@@ -55,16 +59,24 @@ jobs:
           ls dist
 
   upload_pypi:
-    needs: [build_artifacts]
+    needs: [build_artifacts, test_dist_pypi]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
+    environment:
+      name: releases
+      url: https://pypi.org/p/zarr
+    permissions:
+      id-token: write
+      attestations: write
+      artifact-metadata: write
     steps:
       - uses: actions/download-artifact@v7
         with:
           name: releases
           path: dist
-      - uses: pypa/gh-action-pypi-publish@v1.13.0
+      - name: Generate artifact attestation
+        uses: actions/attest@v4
         with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
-          # To test: repository_url: https://test.pypi.org/legacy/
+          subject-path: dist/*
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.13.0