use trusted publishers instead of pypi token (#442)

Author: davidzhao

.github/workflows/build-api.yml

@@ -50,17 +50,14 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/api-v')
+    if: startsWith(github.ref, 'refs/tags/api-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
           name: api-release
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]

.github/workflows/build-protocol.yml

@@ -82,17 +82,14 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/protocol-v')
+    if: startsWith(github.ref, 'refs/tags/protocol-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
           name: protocol-release
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]

.github/workflows/build-rtc.yml

@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/rtc-v')
+    if: startsWith(github.ref, 'refs/tags/rtc-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -135,9 +135,6 @@ jobs:
           merge-multiple: true
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]