Switch to trusted publishing

[flying-sheep]

It’s easier than wrangling tokens.

1. Switch the publish workflow to this: https://github.com/flying-sheep/hatch-docstring-description/blob/39ef405c98ed8b9584db9f591398fcf2c67437d7/.github/workflows/pub.yml
2. Add to the docs that users need to
   1. add an environment to their repo called pypi (no settings, just have it)
   2. enter username, repo, pub.yml and pypi in a form and submit it (described here)

[Zethson]

Could you please explain why we're changing this? I don't mind wrangling with tokens because they can be reused across organizations.

[grst]

This confers significant usability and security advantages when compared to PyPI's traditional authentication methods:

Usability: with trusted publishing, users no longer need to manually create API tokens on PyPI and copy-paste them into their CI provider. The only manual step is configuring the publisher on PyPI.

Security: PyPI's normal API tokens are long-lived, meaning that an attacker who compromises a package's release token can use it until its legitimate user notices and manually revokes it. Similarly, uploading with a password means that an attacker can upload to any project associated with the account. Trusted publishing avoids both of these problems: the tokens minted expire automatically, and are scoped down to only the packages that they're authorized to upload to.

https://docs.pypi.org/trusted-publishers/

[flying-sheep]

I just used that release workflow to release both anndata 0.10.3 and scanpy 1.9.6 almost without a hitch.

If one uses a build backend that isn’t Flit, there will be no problems to adopt it. (the hitch was that I forgot to backport scanpy switching to hatch)