This will also attach provenance / digital signatures when publishing to PyPI, making the releases verifiable.

Here's my PyPUG guide: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#defining-a-workflow-job-environment.

Since you already have a release job, you only need to set up permissions, GH Environment and replace raw twine w/ the action on the GHA side. Plus add protection to the GH Environment in the repo settings. And on the PyPI side, you'll need to set trust to the GHA workflow + GH Environment.