Switch PyPI deploy method to use trusted publisher

[GenevieveBuckley]

PyPI introduced Trusted Publishers last year (see the announcement and how trusted publishing works). This improves security, since you no longer rely on having long-lived API tokens to use with twine.

We recently added a PyPI deployment job to the release workflow in #606. That PR uploads to PyPI using twine (because I didn't know about the trusted publisher option then).

To switch to trusted publishing for micro-sam, we'd need to do two things:

1. Add a trusted publisher to our existing PyPI project (or you can create a new PyPI project with a trusted publisher).
2. Merge a PR updating .github/workflows/release_drafter.yml. The deploy job needs to be given id-token: write permissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).
3. Delete the old PyPI API tokens, from both PyPI and the GitHub repository secrets settings.

Xref: napari/napari-animation#211

[GenevieveBuckley]

I'd say this change is good to have, but not super urgent.
Maybe we should aim to get it done in the next 1-2 releases, or the next six months?

Sorry Contantin, I know I had you make those PyPI API tokens very recently. I didn't realise this was the better way to do it!

[constantinpape]

No worries and thanks for looking into it @GenevieveBuckley. I was a bit delayed with testing the PyPI upload anyways; I want to do this together with a new patch release but still need to work on a few minor things for this. I should be able to do this early next week. I will check this issue out then.

[GenevieveBuckley]

No worries. We could easily wait for this to happen in napari/napari-animation#211 (I've opened napari/napari-animation#212), and see how things go there first. There might be one or two hiccups we can learn from.

[constantinpape]

Ok! Let's wait for the PR in napari-animation and also figure out why our current deployment is not working before that, see #530.