Switch main publish workflow to trusted publishing

I'll probably discover this is broken the first time I try it, but
this at least allows removing the token from github, and invalidating
it in my account.

Author: masklinn

.github/workflows/release-main.yml

@@ -43,10 +43,8 @@ jobs:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true
         verbose: true
-        password: ${{ secrets.PUBLISH_TOKEN }}
     - name: Publish to pypi
       if: ${{ env.ENVNAME == 'pypi' }}
       uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # 1.13.0
       with:
         verbose: true
-        password: ${{ secrets.PUBLISH_TOKEN }}