Trusted publishing (with attestations) means I can know for certain that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing (rather than having to manually review all of the installed files on each release).

See the Python packaging documentation, the PyPI documentation, and the official pypi-publish GitHub action documentation on trusted publishing - you'll need to configure an environment in PyPI and GitHub. You will be able to remove the OPENCV_CONTRIB_PYTHON_PASSWORD project secret.

Should be as simple as switching to the pypa/gh-action-pypi-publish action (instead of twine upload ..., setting skip-existing: true) in the "Upload wheels" steps of the Release jobs of all the workflows, and adding environment and permissions to those jobs.