[CI/CD] Insecure use of Trusted Publishing in GHA

[webknjaz]

8051ec1 added OIDC privilege to the step building the package before uploading to PyPI. There's a danger of privilege escalation + impersonation through transitive build deps.

This is why my guide https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ has a clear job separation.

I recommend integrating zizmor to catch more security-related problems in GHA: https://docs.zizmor.sh/audits/#use-trusted-publishing.

Additionally, invoking setup.py directly has been deprecated for half of a decade and highly discouraged for another one: https://packaging.python.org/en/latest/discussions/setup-py-deprecated/.

Instead, use python -Im build (no args or anything extra). You can follow the PyPUG above, and it'll show you how to do the same, basically.

Optionally, you may want to follow https://packaging.python.org/en/latest/guides/modernize-setup-py-project/ too.

[webknjaz]

@squishykid did you decide to keep the vulnerable setup in?

[squishykid]

Whoops! No, I would like to fix this!

[webknjaz]

Let me know if you need a PR review or any other pointers/guidance :)