workflows: trusted publishing to PyPI (#182)

This replaces the current publishing workflow with one
that doesn't require a manual API token.

It also adds codesigning via Sigstore.

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/pythonpublish.yml

@@ -0,0 +1,55 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build-release:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Build distributions
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install build
+          python -m build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@v3
+        with:
+          name: solc-select-dists
+          path: dist/
+
+  publish:
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # For trusted publishing + codesigning.
+      contents: write  # For attaching signing artifacts to the release.
+    needs:
+      - build-release
+    steps:
+      - name: fetch dists
+        uses: actions/download-artifact@v3
+        with:
+          name: solc-select-dists
+          path: dist/
+
+      - name: publish
+        uses: pypa/[email protected]
+
+      - name: sign
+        uses: sigstore/[email protected]
+        with:
+          inputs: ./dist/*.tar.gz ./dist/*.whl
+          release-signing-artifacts: true
+          bundle-only: true