Update publish to use ODIC token

[sathiya-nhs]

Summary

Remove items from this list if they are not relevant. Remove this line once this has been done

• Routine Change
• ❗ Breaking Change
• 🤖 Operational or Infrastructure Change
• ✨ New Feature
• ⚠️ Potential issues that might be caused by this change

Details

Add any summary information of what is in the change. Remove this line if you have nothing to add.

Pull Request Naming

Pull requests should be named using the following format:

Tag: [AEA-NNNN] - Short description

Tag can be one of:

• Fix - for a bug fix. (Patch release)
• Update - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release)
• New - implemented a new feature. (Minor release)
• Breaking - for a backwards-incompatible enhancement or feature. (Major release)
• Docs - changes to documentation only. (Patch release)
• Build - changes to build process only. (No release)
• Upgrade - for a dependency upgrade. (Patch release)
• Chore - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release)

If the current release is x.y.z then

• a patch release increases z by 1
• a minor release increases y by 1
• a major release increases x by 1

Correct tagging is necessary for our automated versioning and release process.

The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive.

Rerunning Checks

If you need to rename your pull request, you can restart the checks by either:

• Closing and reopening the pull request
• pushing an empty commit

  git commit --allow-empty -m 'trigger build'
  git push

• Amend your last commit and force push to the branch

  git commit --amend --no-edit
  git push --force

Rerunning the checks from within the pull request will not use the updated title.

[Copilot]

Pull request overview

This PR updates the release workflow to publish to PyPI using GitHub OIDC (Trusted Publishing) instead of a stored PyPI token, and also introduces a local pre-commit hook for secret scanning via gitleaks.

Changes:

• Switch .github/workflows/cd.yml publishing to pypa/gh-action-pypi-publish with OIDC permissions.
• Add a scan-secrets gitleaks wrapper hook (scripts/githooks/scan-secrets.sh) and move pre-commit configuration to the repo root (.pre-commit-config.yaml).
• Remove the unused scripts/config/pre-commit.yaml.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
scripts/githooks/scan-secrets.sh	Adds a gitleaks wrapper intended for pre-commit usage (native or Docker).
scripts/config/pre-commit.yaml	Removes the previous pre-commit config file under scripts/config/.
.pre-commit-config.yaml	Introduces root-level pre-commit configuration for scan-secrets.
.github/workflows/cd.yml	Updates CD pipeline to publish to PyPI using OIDC trusted publishing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud