use-trusted-publishing: detect other PyPI uploading tools

[woodruffw]

maturin upload and uv publish both support Trusted Publishing, although detecting them is a little tricky since it (seems to be) common to run both directly, rather than via wrapper actions.

To detect these generally, we'll probably need to look at run: blocks with env: settings like:

• PyO3/maturin-action: https://github.com/PyO3/maturin-action

• uv: UV_PUBLISH_TOKEN / UV_PUBLISH_PASSWORD

• maturin: MATURIN_PYPI_TOKEN / MATURIN_PASSWORD

• pdm (pdm publish): PDM_PUBLISH_PASSWORD

• hatch (hatch publish): HATCH_INDEX_AUTH

Each of these is also a little bit subtle, since we need to avoid false positives when the publish action is to a non-PyPI/TestPyPI index. Some also take CLI options that should be detected, e.g. hatch publish takes --auth <AUTH> as another way to pass the credential.