You are a PyPI package maintainer who needs to publish your package, but you want to avoid using long-lived passwords or API tokens to be shared with external systems. You need to use a new, more secure publishing method called 'Trusted publishing'. Can you use this method to exchange short-lived identity tokens between a trusted third-party service and PyPI?