From a4009232cdfc5098391a77f7cc76c53d9f6fe11c Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 26 Oct 2025 00:10:35 +0000
Subject: [PATCH] feat: add secure PyPI publishing workflow

Adds a GitHub Actions workflow to securely publish the Python package to PyPI using Trusted Publishing (OIDC).

This workflow is triggered on new GitHub releases and handles building and publishing the package without the need for long-lived API tokens.
---
 .github/workflows/publish.yml | 43 +++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..c1c054f
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,43 @@
+# .github/workflows/publish.yml
+name: Publish Python Package to PyPI
+
+on:
+  # Trigger the workflow only when a new release is published
+  release:
+    types: [published]
+
+jobs:
+  pypi-publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+
+    # Define the environment for trusted publishing
+    # This name 'pypi' MUST match what you configure on PyPI
+    environment: pypi
+
+    # Grant OIDC token permission for the job
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # No 'user' or 'password' fields are needed here.
+        # The action automatically uses the OIDC token from the
+        # 'id-token: write' permission.