Release to PyPI using Trusted Publishing

[hugovk]

PyPI has introduced "Trusted Publishers", a method to release files from CI using OIDC and generated, short-lived tokens, rather than long-lived tokens on the developer's own machine. This is both safer, and makes releasing easier and more convenient.

https://docs.pypi.org/trusted-publishers/

This PR adds a workflow to deploy to PyPI for new GitHub releases.

It also deploys to Test PyPI on merges to main, to make sure the release machinery is well oiled.

I've set up the PyPIs.

• https://test.pypi.org/manage/project/humanize/settings/publishing/
• https://pypi.org/manage/project/humanize/settings/publishing/

---

PEP 740 ("Index support for digital attestations") introduces signatures which links the PyPI package to the GitHub repo, and helps users verify the source and authenticity of packages. This is only available with Trusted Publishing.

PyPI is still implementing support, but we can already start using it, which should also help them test out.

• https://peps.python.org/pep-0740/
• https://github.com/pypa/gh-action-pypi-publish#generating-and-uploading-attestations
• [Roadmap] Implement PEP 740 pypi/warehouse#15871

All we need to do to enable this is add:

        with:
          attestations: true

[hugovk]

Success from main to Test PyPI:

• https://github.com/python-humanize/humanize/actions/runs/11446424311/job/31845584693
• https://test.pypi.org/project/humanize/4.11.1.dev2/