Switch to trusted publishing for PyPI

[gmr]

Summary

• Switch from API token authentication to OIDC trusted publishing for PyPI deploys
• Trigger on release published instead of tag push
• Split into separate build and publish jobs with artifact handoff

Problem

The deploy workflow used a PYPI_PASSWORD secret for authentication, which is being deprecated in favor of trusted publishing.

Solution

• Add permissions: id-token: write for OIDC
• Add environment: pypi to the publish job for trusted publisher configuration
• Separate build (with artifact upload) and publish (with artifact download) jobs
• Remove password secret reference from gh-action-pypi-publish

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@gmr has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}