Switch release workflow to PyPI trusted publishing

- Replace secret-based PyPI token with OIDC trusted publishing
- Use uv for building instead of pip/hatch dual build
- Split into build + publish jobs with artifact handoff
- Add pypi environment for deployment protection
- Update actions to v5

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: timtreis

.github/workflows/release.yaml

@@ -4,28 +4,43 @@ on:
   release:
     types: [published]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  package_and_release:
+  build:
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/v')
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
         with:
-          python-version: "3.12"
-          cache: pip
-      - name: Install build dependencies
-        run: python -m pip install --upgrade pip wheel twine build
+          filter: blob:none
+          fetch-depth: 0
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
       - name: Build package
-        run: python -m build
+        run: uv build
       - name: Check package
-        run: twine check --strict dist/*.whl
-      - name: Install hatch
-        run: pip install hatch
-      - name: Build project for distribution
-        run: hatch build
-      - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        run: uvx twine check --strict dist/*
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # for PyPI trusted publishing
+    environment:
+      name: pypi
+      url: https://pypi.org/p/spatialdata-plot
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1