Currently, https://github.com/oauthlib/oauthlib/blob/master/.github/workflows/python-build.yml builds the dists in the same job as publishing. This gives transitive build deps OIDC privileges, that might lead to impersonation, privilege elevation etc.

TL;DR follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

Additionally, the if: clause is broken in the publishing job as it is always true due to }} being in the middle of the string. The ${{ ... }} wrapper can just be dropped.