CI: Separate jobs for publishing to TestPyPI and PyPI

[weiji14]

Description of proposed changes

Have a dedicated build distribution job, and split the publish to TestPyPI and PyPI jobs, to workaround attestation file issue. Xref pypa/gh-action-pypi-publish#283

References:

• https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#separate-workflow-for-publishing-to-testpypi

Fixes #3736

Preview:

Reminders

• Run make format and make check to make sure the code follows the style guide.
• Add tests for new features or tests that would have caught the bug that you're fixing.
• Add new public functions/methods/classes to doc/api/index.rst.
• Write detailed docstrings for all functions/methods.
• If wrapping a new module, open a 'Wrap new GMT module' issue and submit reasonably-sized PRs.
• If adding new functionality, add an example to docstrings or tutorials.

Slash Commands

You can write slash commands (/command) in the first line of a comment to perform
specific operations. Supported slash command is:

• /format: automatically format and lint the code

[seisman]

Any specific reason to add the persist-credentials: false line?

[weiji14]

This was from the template at https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#checking-out-the-project-and-building-distributions, so I just added it in. The default is persist-credentials: true according to https://github.com/actions/checkout/tree/v4.2.2?tab=readme-ov-file#checkout-v4, which would mean the credentials do not persist between jobs (e.g. from the build job to the publish-to-testpypi and publish-pypi jobs and is supposed to be less secure if I'm reading actions/checkout#485 correctly. Setting to persist-credentials: false should be more secure, though unsure if it really matters.