CI - Swap to trusted publisher for releases

[trallard]

Closes #1754

I only modified the publish.yml workflow in this PR to remove the token.

Separately, I already added this as a trusted publisher in PyPI.

[drammock]

WDYT about a step for building and checking the wheels with twine before pushing to PyPI? E.g.:

https://github.com/mne-tools/mne-python/blob/026e2622e9f32741ac20bc4c051bdc89bbbd3785/.github/workflows/release.yml#L26-L31

[trallard]

I can do that, I actually thought about it as I was working on #1759
I have been using https://github.com/hynek/build-and-inspect-python-package for build and wheels inspection and it is a delight. But a quick twine check works well to

[drammock]

I have been using https://github.com/hynek/build-and-inspect-python-package for build and wheels inspection and it is a delight.

ooh, I only looked quickly but that does seem useful!

[trallard]

I have now added the build-and-verify package action to the workflow per @drammock comment

[drammock]

wonderful, thanks @trallard

[drammock]

@trallard I think maybe this PR isn't working as intended. Even after ditching Codecov so that the tests all pass (prerequisite for even running the build/upload workflow), the upload step is failing:

https://github.com/pydata/pydata-sphinx-theme/actions/runs/8944060825/job/24570535182#step:3:51

If I'm reading the output of prior steps correctly, the artifact is actually named Packages.zip (see also the Artifacts section here) and I think we will need to unzip it (?) before calling the upload step (at least I can't find any mention of handling .zips at https://github.com/pypa/gh-action-pypi-publish/tree/release/v1/).