Configure PyPI trusted publishing

{{cookiecutter.project_name}}/.github/workflows/cd.yml

@@ -3,22 +3,26 @@ name: Release
 
 env:
   ENABLE_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
-  ENABLE_TEST_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
+  ENABLE_TEST_PYPI_PUBLISH: "false"
   RELEASE_PYTHON_VERSION: "3.12"
   RELEASE_POETRY_VERSION: "2.0"
 
 on:
   push:
     tags:
       - '*'
-  workflow_dispatch:
 
 jobs:
   Publish:
     name: Publish package for ${{ "{{" }} github.ref_name }}
 
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/{{ cookiecutter.project_name }}
+    permissions:
+      id-token: write
 
     steps:
       - name: 💾 Check out repository
@@ -49,15 +53,12 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ "{{" }} env.ENABLE_TEST_PYPI_PUBLISH == 'true' }}
         with:
-          password: ${{ "{{" }} secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
 
       - name: ☢️ Publish to PyPI
         if: ${{ "{{" }} env.ENABLE_PYPI_PUBLISH == 'true' }}
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ "{{" }} secrets.PYPI_API_TOKEN }}
 
 concurrency:
   group: ${{ "{{" }} github.workflow }}-${{ "{{" }} github.ref }}