ci(release): Migrate to PyPI Trusted Publisher

why: Improve security by eliminating stored API tokens and enable package attestations
what:
- Add OIDC permissions (id-token, attestations) to release job
- Remove user/password authentication in favor of trusted publishing
- Enable attestations for supply chain security
- Fix deprecated skip_existing to skip-existing

Author: tony

.github/workflows/tests.yml

@@ -91,6 +91,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write      # Required for OIDC trusted publishing
+      attestations: write  # Required for generating attestations
 
     strategy:
       matrix:
@@ -118,6 +121,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true