Switch PyPI publish via GHA to 'Trusted Publishers' model

[icemac]

We are publishing to PyPI using GHA in the c-code template of meta/config.

Regarding to https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ this can be simplified and made more secure by using the 'Trusted Publishers' model.

Let's find out if we can/will adapt to that model.

[dataflake]

Keep in mind:

• the current setup does not cover source tarballs
• I think admins should still be able to publish to PyPI manually

[icemac]

See https://github.com/ultrajson/ultrajson/pull/603/files as an example PR.