[task] Upgrade .github/workflows/pypi_upload.yml to use Trusted Publishing

[webknjaz]

          any reason you didn't migrate to Trusted Publishing? It can produce digital attestations out of the box now: https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/.

Originally posted by @webknjaz in #4512 (comment)

          We should move to Trusted Publishing at some point, but that's a bit more work, so we'll do it when we do it I suppose. I'd probably accept a PR that does it for us.

Originally posted by @JelleZijlstra in #4512 (comment)

The full guide is @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

Example of CI/CD setup that uploads individual dists as GHA workflow artifacts in cibuildwheel (and pure-python fallback) jobs with unique artifact names, and then downloads them in the publishing job: https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/ci-cd.yml#L112-L124 + https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/reusable-build-wheel.yml#L93-L100 + https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/ci-cd.yml#L553-L558.

Roughly, this is what needs to be done:

• add uploading artifacts into each job producing them
• ensure that the artifact names are unique per single workflow run
• add downloading all of them and merging contents of multiple artifacts into a single dir, into the PyPI upload job
• Change twine upload to invoking pypi-publish
• Add OIDC permission to the PyPI job
• Add an environment called pypi to the job and set up required reviewers for said environment in the repo settings
• Get somebody with the Owner-level permissions to configure trust on the PyPI side