Upgrade PyPI CI publishing to use Trusted Publishing

[lmmx]

• Background: REL/SEC: enabling trusted publishing for PyPI specutils#1323

Migrates PyPI publishing from a long-lived API token to Trusted Publishing (OIDC), motivated by recent supply chain attacks (litellm, lightning).

The publishing step uses a reusable workflow from the OpenAstronomy org, and since you can't pass OIDC tokens across orgs, the workaround (documented here) is to instead set upload_to_pypi: false and save_artifacts: true then publish the stored artifact with the pypa/gh-action-pypi action.

• Adapted from similar PR in regions repo: Upgrade PyPI CI publishing to use Trusted Publishing regions#661 which followed this example from the astropy package repo.
• 💡 I made this repo's package build step condition consistent with the one in that repo, which was more defensive
  • It means "publish all tags starting with v that don't end in .dev, if sent via push or manual dispatch"
  • The same was done for reproject in Upgrade PyPI CI publishing to use Trusted Publishing reproject#598

    if: >-
      ${{ startsWith(github.ref, 'refs/tags/v') &&
          !endsWith(github.ref, '.dev') &&
          (
            github.event_name == 'push' ||
            github.event_name == 'workflow_dispatch'
          )
      }}

The code changes here require some further (trivial) setup on the PyPI-side. Specifically, the PyPI admin (not just maintainer) needs to register the TP on PyPI at https://pypi.org/manage/project/astropy-healpix/settings/publishing/

• Owner: astropy
• Repo: astropy-healpix
• Workflow: publish.yml
• Environment: pypi

The pypi_token secret should be deleted from the repo secrets and can be invalidated on PyPI too.

(Not sure who is the PyPI admin, the maintainers are listed as @lpsinger @astrofrog)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.23%. Comparing base (b7af16c) to head (a33c61d).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #303   +/-   ##
=======================================
  Coverage   96.23%   96.23%           
=======================================
  Files           6        6           
  Lines         505      505           
=======================================
  Hits          486      486           
  Misses         19       19           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[lpsinger]

LGTM. @astrofrog, please review.