The workflow was run with the 'attestations: true' input, but an explicit password was also set, disabling Trusted Publishing. As a result, the attestations input is ignored.

Trusted Publishers allows publishing packages to PyPI from automated environments like GitHub Actions without needing to use username/password combinations or API tokens to authenticate with PyPI. Read more: https://docs.pypi.org/trusted-publishers

A new Trusted Publisher for the currently running publishing workflow can be created by accessing the following link(s) while logged-in as an owner of the package(s):

It looks like you are trying to use an API token to authenticate in the package index and your token value does not start with "pypi-" as it typically should. This may cause an authentication error. Please verify that you have copied your token properly if such an error occurs.

Unexpected input(s) 'username', valid inputs are ['user', 'password', 'repository-url', 'repository_url', 'packages-dir', 'packages_dir', 'verify-metadata', 'verify_metadata', 'skip-existing', 'skip_existing', 'verbose', 'print-hash', 'print_hash', 'attestations']