Upgrade PyPI CI publishing to use Trusted Publishing

[lmmx]

• Background: REL/SEC: enabling trusted publishing for PyPI specutils#1323

Migrates PyPI publishing from a long-lived API token to Trusted Publishing (OIDC), motivated by recent supply chain attacks (litellm, lightning).

The publishing step uses a reusable workflow from the OpenAstronomy org, and since you can't pass OIDC tokens across orgs, the workaround (documented here) is to instead set upload_to_pypi: false and save_artifacts: true then publish the stored artifact with the pypa/gh-action-pypi action.

• Adapted from similar PR in regions repo: Upgrade PyPI CI publishing to use Trusted Publishing regions#661 which followed this example from the astropy package repo.
• 💡 I made this repo's package build step condition consistent with the one in that repo, which was more defensive
  • It means "publish all tags starting with v that don't end in .dev, if sent via push or manual dispatch"
• ⚠️ note the sibling repos (regions, photutils, astropy-healpix) call this workflow publish.yml, only this one calls it ci_workflows.yml, I'd consider renaming it but have left it as-is.

    if: >-
      ${{ startsWith(github.ref, 'refs/tags/v') &&
          !endsWith(github.ref, '.dev') &&
          (
            github.event_name == 'push' ||
            github.event_name == 'workflow_dispatch'
          )
      }}

The code changes here require some further (trivial) setup on the PyPI-side. Specifically, the PyPI admin (@astrofrog) needs to register the TP on PyPI at https://pypi.org/manage/project/reproject/settings/publishing/

• Owner: astropy
• Repo: reproject
• Workflow: ci_workflows.yml
• Environment: pypi

The pypi_token secret should be deleted from the repo secrets and can be invalidated on PyPI too.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.54%. Comparing base (7d5a0d9) to head (97632b5).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #598      +/-   ##
==========================================
+ Coverage   87.49%   87.54%   +0.05%     
==========================================
  Files          49       49              
  Lines        1935     1935              
==========================================
+ Hits         1693     1694       +1     
+ Misses        242      241       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.