Trusted publishing (with attestations) means I can know for certain that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing (rather than having to manually review all of the installed files on each release).

Seethe Python packaging documentation,the PyPI documentation, andthe official pypi-publish GitHub action documentation on trusted publishing - you'll need to configure an environment in PyPI and GitHub. You will be able to remove theOPENCV_CONTRIB_PYTHON_PASSWORD project secret.

Should be as simple as switching to thepypa/gh-action-pypi-publish action (instead oftwine upload ..., settingskip-existing: true) in the "Upload wheels" steps of theRelease jobs of all the workflows, and adding environment and permissions to those jobs.