Publish to TestPyPI and PyPI via OpenID Connect token

Using a short-lived API token generated by OpenID Connect (OIDC) instead of a long-lived secret to publish packages to TestPyPI and PyPI. Refer to https://github.com/pypa/gh-action-pypi-publish/tree/v1.8.1#ipublishing-with-openid-connect

Author: weiji14

.github/workflows/publish-to-pypi.yml

@@ -19,6 +19,9 @@ jobs:
   publish-pypi:
     name: Publish to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # This permission is mandatory for OIDC publishing
+      id-token: write
     if: github.repository == 'GenericMappingTools/pygmt'
 
     steps:
@@ -53,13 +56,10 @@ jobs:
         ls -lh dist/
 
     - name: Publish to Test PyPI
-      uses: pypa/[email protected].1
+      uses: pypa/[email protected].3
       with:
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
         repository-url: https://test.pypi.org/legacy/
 
     - name: Publish to PyPI
       if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/[email protected]
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      uses: pypa/[email protected]