Migrate to trusted publisher pypi workflow

[kyamagu]

Changes:

• Migrate to the trusted publisher workflow
• Update the artifact uploader/downloader

[HinTak]

Looks good - had to look up what the artefact changes do from https://github.com/marketplace/actions/download-a-build-artifact#download-multiple-filtered-artifacts-to-the-same-directory

[kyamagu]

@HinTak BTW, please let me know your PyPI account if you have one. I would like to invite you as a collaborator

[HinTak]

The build_doc job was missing the same actions update as the publishing job. I hope you don't mind I just adding another commit for that, to get CI going - the addition is obviously enough and you'd have added the exact same change.

[HinTak]

@kyamagu I just registered on PyPI using the same username 'HinTak' . 2FA in PyPI looks very complicated there though - github has my phone number and can SMS me, but PyPI's 2FA is something else?

[kyamagu]

@HinTak You can use a TOTP authenticator app like Google Authenticator for 2FA. I set up the TOTP also for Github.

[kyamagu]

@HinTak, Feel free to debug the new PyPI publishing workflow. Rewriting a release (remove, then create again) is acceptable for debugging the step.

[HinTak]

Usually I don't modify/re-use tags once they are public... it is a bit confusing if somebody fetches/sync's and gets them over-written, or worse, if they have a local config blocking such overwrites. It is quite frown upon to re-write git history that way. In the case, the difference is small, and changes over only two days, and irrelevant to end-users. Otherwise I'd give it a new tag like 121.1b6 from 121.0b6. (I still need to remove the old local version of the tag, and you probably need to do the same too - that's why it is considered bad practice...)

[HinTak]

@kyamagu I can't open the manage tab on the pypi side - but supposedly only 4 things are needed there, right? Repo, owner, workflow, environment? According to?
https://docs.pypi.org/trusted-publishers/adding-a-publisher/

* `sub`: `repo:kyamagu/skia-python:ref:refs/tags/v121.0b6`
* `repository`: `kyamagu/skia-python`
* `repository_owner`: `kyamagu`
* `repository_owner_id`: `1190780`
* `job_workflow_ref`: `kyamagu/skia-python/.github/workflows/ci.yml@refs/tags/v121.0b6`
* `ref`: `refs/tags/v121.0b6`

[HinTak]

@kyamagu what did you put in the github environment (optional) field on the pypi side? That apparently needs to match on github side...

[kyamagu]

@HinTak Right, I'll make a PR for that

[kyamagu]

@HinTak, I've updated your permission on PyPI. Please check

[HinTak]

@kyamagu I can see the pypi side now. Hopefully #229 should be it. I'll move the release tag when that ci finishes and try releasing again.