fix(CI): replace pypa/gh-action-pypi-publish with inline twine upload

[yangxk1]

Reason for this PR

The pypa/gh-action-pypi-publish action is not in the Apache organization's GitHub Actions allowlist, causing the upload_test_pypi and upload_pypi jobs to fail with:

The actions pypa/gh-action-pypi-publish@release/v1 and pypa/gh-action-pypi-publish@release/2473ec6c6aa87f38946284d51289219fd0b87264 are not allowed in apache/incubator-graphar

See: https://github.com/apache/incubator-graphar/actions/runs/27183446921

What changes are included in this PR?

Replace both uses of pypa/gh-action-pypi-publish with inline shell steps that perform the same trusted publisher OIDC flow directly:

1. Request an OIDC token from GitHub Actions (using the existing id-token: write permission)
2. Exchange it with PyPI/TestPyPI for a short-lived API token via the _/oidc/mint-token endpoint
3. Upload packages using twine

Additionally, ::add-mask:: is used to prevent the minted token from leaking in CI logs.

Are these changes tested?

The OIDC flow follows PyPI's official trusted publisher documentation. The workflow YAML has been validated for correct syntax. The actual upload will be tested when the workflow runs on the next push to main.

Are there any user-facing changes?

No. The publishing behavior is identical — packages are still uploaded via PyPI trusted publishing (OIDC). Only the CI implementation changes.

Checklist

• I have performed a self-review of my own code.
• I have formatted my own code using make cpplint before submitting when changed files are in the cpp directory.
• I have performed pre-commit run before commit the changed files.
• I have added tests to prove my changes are effective.