Update release action

[dopplershift]

A few changes to update the GitHub release workflow

• Swap the event from "pushing a tag" to "release publication". This restricts what events trigger it and more directly tie the generation of PyPI products to the process we follow
• Pin to the 1.8.5 version of the PyPA PyPI publication action; it's always better not to just be blindly using GitHub HEAD.
• Separate the workflow into two separate jobs: build and publish. This reduces the code that has access to the private tokens/permissions needed to publish. It also is a small (needed) step towards having a build matrix (for e.g. wheels) that then get uploaded together in one single step to PyPI.
• Use PyPI "trusted publisher" instead of an API token (see below)

The last one is a new feature just released to general availability by PyPI. Instead of using a fixed API token (which is tied to one user's account--currently mine), you configure the project on PyPI to accept publication from a particular GitHub workflow and (optionally) environment. Transparently (using the PyPA GitHub Action we're already using) GitHub and PyPI exchange the needed tokens to allow publication to PyPI. The use of an environment additionally allows some gatekeeping like wait timers, restrict certain branches for "deployment", and manual approval for "deployment", if we were so inclined.

Assuming we want to go this way, the additional items that need to take place outside the PR merger:

• Add the PyPI environment to the repo (which can have no custom configuration)
• Remove the current PyPI API token from the repo's secrets
• Delete the token from my account
• Configure the cartopy PyPI project to accept the github workflow as a trusted publisher

[greglucas]

Looks good to me. I think this is a good direction to head for releases.

[greglucas]

Do we need to add a release guide to explain what we need to do to trigger this? I assume it is "go to GitHub and publish a release" because tagging via command line and pushing a tag is not good enough here?

[dopplershift]

I mean, we can stick with "tag and push" if we want, I just looked and saw we were already using the GitHub releases feature.

[greglucas]

I'm good with this, I've been making releases through the web interface.

[greglucas]

@dopplershift, this looks good to me. Feel free to merge this when you have some time to do the other tasks you've listed as well. I don't want to merge this and be in limbo when we haven't added the other pieces necessary yet to make a release and forget to update.

[dopplershift]

All done. This workflow worked flawlessly on the most recent MetPy release.