Use trusted publishing for publishing whls to pypi (Update build-and-test.yml) (#193)

Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: andife

.github/workflows/build-and-test.yml

@@ -76,25 +76,34 @@ jobs:
         path: dist/*.tar.gz
 
   # TODO: Discuss release workflow
-  # upload_pypi:
-  #   name: Upload to PyPI
-  #   needs: [build_wheels, build_sdist]
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/download-artifact@v4
-  #       with:
-  #         name: artifact
-  #         path: dist
-          
-  #     - name: Publish distribution 📦 to Test PyPI
-  #       uses: pypa/gh-action-pypi-publish@release/v1
-  #       with:
-  #         password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-  #         repository-url: https://test.pypi.org/legacy/
-  #         skip-existing: true
-          
-  #     - name: Publish distribution 📦 to PyPI
-  #       if: startsWith(github.ref, 'refs/tags/v')
-  #       uses: pypa/gh-action-pypi-publish@release/v1
-  #       with:
-  #         password: ${{ secrets.PYPI_API_TOKEN }}
+  release:
+    name: Release
+    environment: 
+      name: release
+      url: https://pypi.org/p/onnxoptimizer     
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')  
+    needs: [build_wheels, build_sdist]      
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: artifact
+          path: dist
+
+      # TODO: get acccess for test.pypi   
+      # - name: Publish distribution 📦 to Test PyPI
+      #   uses: pypa/gh-action-pypi-publish@release/v1
+      #   with:
+      #     repository-url: https://test.pypi.org/legacy/
+      #     skip-existing: true
+      #     attestations: true
+         
+      - name: Publish distribution 📦 to PyPI
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://upload.pypi.org/legacy/
+          attestations: true