ci(release): Migrate to PyPI Trusted Publisher (#615)

## Summary
- Migrate PyPI publishing from API token to OIDC-based Trusted Publisher
- Enable package attestations for supply chain security
- Fix deprecated `skip_existing` parameter

## Changes
- Add `permissions` block with `id-token: write` and `attestations: write`
- Remove `user` and `password` parameters from publish step
- Add `attestations: true` to enable cryptographic attestations
- Change `skip_existing` to `skip-existing` (kebab-case)

Author: tony

.github/workflows/tests.yml

@@ -91,6 +91,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write      # Required for OIDC trusted publishing
+      attestations: write  # Required for generating attestations
 
     strategy:
       matrix:
@@ -118,6 +121,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true

CHANGES

@@ -32,7 +32,12 @@ $ uvx --from 'libtmux' --prerelease allow python
 
 <!-- To maintainers and contributors: Please add notes for the forthcoming version below -->
 
-_Upcoming changes will be written here._
+### CI
+
+#### Migrate to PyPI Trusted Publisher (#615)
+
+PyPI publishing now uses OIDC-based Trusted Publisher instead of API tokens.
+This improves security and enables package attestations for supply chain verification.
 
 ## libtmux 0.52.0 (2025-12-07)