For isolation reasons, we strongly recommend that you perform your distribution build in a separate job that your publishing job depends on. This ensures that your build environment does not have access to the short-lived credentials used for publishing.

https://docs.pyx.dev/publishing#trusted-publishing

Also relevant for #57