Use trusted-publishing instead of long-lived token

Run job under an environment called 'pypi', set permissions: id-token: write, and don't use PYPI_TOKEN upload. Xref https://github.com/pypa/gh-action-pypi-publish/tree/v1.14.0?tab=readme-ov-file#trusted-publishing.

Author: weiji14

.github/workflows/pypi-release.yaml

@@ -62,10 +62,17 @@ jobs:
           name: releases
           path: dist
 
-  upload-to-pypi:
+  pypi-publish:
+    name: Publish Python 🐍 distribution 📦 to PyPI
     needs: build-artifacts
-    if: github.event_name == 'release'
+    if: github.repository == 'xarray-contrib/cupy-xarray' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/cupy-xarray/
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
+
     steps:
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
@@ -75,6 +82,5 @@ jobs:
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+          print-hash: true
           verbose: true