ci: switch PyPI publish to Trusted Publishing (OIDC)

Drop the static MATURIN_PYPI_TOKEN env on the Publish to PyPI step so
maturin-action uses the workflow's OIDC token instead. The release
job already has `id-token: write`, which is the only requirement on
our end. PyPI must have a Trusted Publisher (or pending publisher,
for the first release) registered for this repo + workflow filename
under https://pypi.org/manage/account/publishing/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

.github/workflows/ci.yml

@@ -183,8 +183,6 @@ jobs:
       - name: Publish to PyPI
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         uses: PyO3/maturin-action@v1
-        env:
-          MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*