Here's my guide: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

Doing this will allow getting rid of the long-lived API token but more importantly, it'll automatically generate digital attestations via Sigstore, that are uploaded to PyPI as well.

P.S. Make sure that the publishing job with the OIDC privilege does not do anything other than publishing and doesn't attempt to invoke build scripts (that shouldn't have OIDC access).
P.P.S. If you're curious about the ecosystem adoption of these attestations, see https://trailofbits.github.io/are-we-pep740-yet/.