Add environment and permissions to release workflow

Temporarily expose auth status and then exit the release workflow -
also, make it run for all pushed to the current development branch.

.github/workflows/_local_cd_release.yml

@@ -1,9 +1,12 @@
 name: CD - Release
 
 on:
-  release:
-   types:
-     - "published"
+  # release:
+  #  types:
+  #    - "published"
+  push:
+    branches:
+      - cwa/close-180-support-pypi-trusted-publisher
 
 jobs:
   publish:

.github/workflows/cd_release.yml

@@ -91,6 +91,11 @@ on:
         required: false
         type: boolean
         default: true
+      release_environment:
+        description: "The GitHub environment to use for the release. This defaults to 'release'."
+        required: false
+        type: string
+        default: "release"
 
       # Build and release documentation
       update_docs:
@@ -157,7 +162,14 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
 
+    environment: ${{ inputs.release_environment || 'release' }}
+    permissions:
+      id-token: write
+
     steps:
+    - name: Write out auth status
+      run: gh auth status && exit 1
+
     - name: Validate inputs
       run: |
         if [[ ! "${{ inputs.python_version_build }}" =~ ^3\.([7-9]|1[0-3])(\..*)?$ ]]; then
@@ -320,16 +332,11 @@ jobs:
       if: inputs.test && inputs.publish_on_pypi && inputs.python_package
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.PyPI_token }}
         repository-url: https://test.pypi.org/legacy/
 
     - name: Publish package to PyPI
       if: ( ! inputs.test ) && inputs.publish_on_pypi && inputs.python_package
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PyPI_token }}
 
   docs:
     name: Deploy release documentation