workflows/release: OIDC publishing

Signed-off-by: William Woodruff <william@trailofbits.com>

.github/workflows/release.yml

@@ -10,6 +10,7 @@ jobs:
     name: upload release to PyPI
     runs-on: ubuntu-latest
     permissions:
+      # Used to authenticate to PyPI via OIDC.
       # Used to sign the release's artifacts with sigstore-python.
       id-token: write
 
@@ -29,10 +30,7 @@ jobs:
       run: python -m build
 
     - name: publish
-      uses: pypa/gh-action-pypi-publish@v1.7.1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
+      uses: pypa/gh-action-pypi-publish@release/v1
 
     - name: sign
       uses: sigstore/gh-action-sigstore-python@v1.2.1