use trusted publishers instead of a API token (#7899)

* use trusted publishers instead of a API token

* same for TestPyPI

Author: keewis

.github/workflows/pypi-release.yaml

@@ -70,12 +70,26 @@ jobs:
           python -m pip install dist/xarray*.whl
           python -m xarray.util.print_versions
 
+  upload-to-test-pypi:
+    needs: test-built-dist
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+
+    environment:
+      name: pypi
+      url: https://test.pypi.org/p/xarray
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: releases
+          path: dist
       - name: Publish package to TestPyPI
         if: github.event_name == 'push'
         uses: pypa/[email protected]
         with:
-          user: __token__
-          password: ${{ secrets.TESTPYPI_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
           verbose: true
 
@@ -84,6 +98,13 @@ jobs:
     needs: test-built-dist
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/xarray
+    permissions:
+      id-token: write
+
     steps:
       - uses: actions/download-artifact@v3
         with:
@@ -92,6 +113,4 @@ jobs:
       - name: Publish package to PyPI
         uses: pypa/[email protected]
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
           verbose: true