ci: switch PyPI publish workflow to Trusted Publishing

Replace the rye PYPI_TOKEN env with the pypa/gh-action-pypi-publish
action and id-token: write permissions, so the workflow uploads via
PyPI Trusted Publishing rather than a long-lived token. Other steps
in publish-pypi.yml are unchanged.

After merge, the PyPI project will need a Trusted Publisher binding
pointing at openai/openai-python and the publish-pypi.yml workflow
name. Closes #3273.

Author: adityasingh2400

.github/workflows/publish-pypi.yml

@@ -9,6 +9,9 @@ jobs:
     name: publish
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -19,8 +22,10 @@ jobs:
           version: '0.44.0'
           enable-cache: true
 
-      - name: Publish to PyPI
+      - name: Build distributions
         run: |
-          bash ./bin/publish-pypi
-        env:
-          PYPI_TOKEN: ${{ secrets.OPENAI_PYPI_TOKEN || secrets.PYPI_TOKEN }}
+          mkdir -p dist
+          rye build --clean
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1