[CI/CD] Insecure `pypi-publish` setup and other packaging problems

[webknjaz]

Here's two immediate problems I noticed:

1. python -m build is invoked in a job with access to OIDC. This is an attack surface for the workflow identity impersonation through transitive build deps with possible privilege elevation on external systems.
2. --sdist --wheel are passed to pypa/build which makes it create both artifacts from Git checkout. The installers actually build sdist from wheel and not from Git. These args should be dropped and pypa/build will exercise the same flow automatically, and this will be a good smoke test for whether anything is missing from sdist (Git -> sdist -> wheel).