Use `trusted publisher` for PyPI releases

[trallard]

We use the publish.yaml workflow for PST releases.

This still uses a token for this action, though trusted publishing is now encouraged over API tokens as a best practice on supported platforms (like GitHub).

To do this, we would need to:

• Update publish.yaml - I can do this
• Update the settings in the PyPI package to enable trusted publishers. I'm not sure who has access to this, but maybe @choldgraf (?).
• Remove the existing token from GH

Ref: https://docs.pypi.org/trusted-publishers/adding-a-publisher/

[choldgraf]

@trallard I've invited you as an owner on pypi (and recommend we add other core maintainers in the same role as well)

[drammock]

Feel free to add me if you want, we use trusted publisher in MNE too so I'm familiar

[trallard]

Added you @drammock!

[trallard]

PR is up now at #1758; the only outstanding item is removing the existing tokens from GitHub itself.
This is not something I can do with my current permissions/role, so this would be a task for someone else with elevated privileges.