feat(ci): add PyPI publish workflow

[joeVenner]

Summary

Adds an automated PyPI publish workflow using Trusted Publishing (OIDC) — no long-lived API tokens required.

How It Works

1. Push a version tag: `git tag v0.10.0 && git push origin v0.10.0`
2. GitHub Actions builds a wheel + sdist
3. Authenticates to PyPI via OIDC (short-lived token)
4. Publishes to PyPI

Setup Required (repo admin)

1. GitHub Environment

1. Go to `https://github.com/fomyio/iotcli/settings/environments\`
2. Create environment named `pypi`
3. Add yourself as a required reviewer (enables approval gate)

2. PyPI Trusted Publisher

1. Go to https://pypi.org/manage/project/iotcli/settings/publishing/
   (create the project first at https://pypi.org/manage/projects/ if it doesn't exist)
2. Add a new GitHub trusted publisher:
   • Owner: `fomyio`
   • Repository: `iotcli`
   • Workflow name: `publish.yml`
   • Environment name: `pypi`

No API token secret is needed. OIDC handles authentication automatically.

3. Tag Protection (recommended)

Create a GitHub Ruleset restricting `v*` tag creation to admins so only owners can trigger releases.

Security

• Trusted Publishing — no secrets stored in GitHub
• Environment approval — workflow pauses for manual approval before publishing
• Tag protection — only admins can push version tags
• Pinned action SHA — `pypa/gh-action-pypi-publish` pinned to a specific commit

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR adds a GitHub Actions workflow (.github/workflows/publish.yml) to automate publishing iotcli to PyPI using OIDC Trusted Publishing — no long-lived API tokens required. The workflow triggers on v* tags, extracts the version from the tag name to patch pyproject.toml, builds a wheel + sdist, and publishes via pypa/gh-action-pypi-publish.

Key changes:

• New publish workflow using PyPI Trusted Publishing (OIDC), scoped to a pypi GitHub Environment for manual approval gating
• Version is now dynamically extracted from the pushed git tag via sed before building, resolving the static 0.10.0 issue raised in prior review
• pypa/gh-action-pypi-publish is pinned to a full commit SHA (cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0) rather than a mutable branch
• The github.actor guard and hardcoded API token path have been removed in favour of proper Trusted Publishing

Remaining concern:

• actions/checkout@v4 and actions/setup-python@v5 are still mutable tags. In a publish workflow the checkout and Python setup steps execute code that directly affects what ends up in the published package, so they warrant the same SHA-pinning treatment as the publish action itself.

Confidence Score: 4/5

Safe to merge with one non-blocking follow-up: pin actions/checkout and actions/setup-python to full SHAs for consistency with the workflow's stated security posture.

All previously raised concerns (mutable pypa action tag, static hardcoded version, actor guard bypass, mismatched Trusted Publishing setup) have been addressed in this revision. The only remaining gap is that actions/checkout@v4 and actions/setup-python@v5 use mutable version tags rather than commit SHAs — a moderate supply-chain concern in a publish workflow, but not blocking given the environment approval gate already in place.

.github/workflows/publish.yml — actions/checkout and actions/setup-python should be pinned to full commit SHAs.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Adds a PyPI Trusted Publishing workflow triggered on v* tags. Previous issues (mutable pypa action tag, static version, actor guard) have been resolved. Minor remaining concern: actions/checkout@v4 and actions/setup-python@v5 are still mutable tags.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Env as pypi Environment
    participant PyPI as PyPI (OIDC)

    Dev->>GH: git push tag v*
    GH->>GH: Trigger publish workflow
    GH->>Env: Request environment approval
    Env-->>GH: Approved by reviewer
    GH->>GH: actions/checkout
    GH->>GH: sed version from tag into pyproject.toml
    GH->>GH: actions/setup-python
    GH->>GH: pip install build
    GH->>GH: python -m build (wheel + sdist)
    GH->>PyPI: pypa/gh-action-pypi-publish (OIDC token exchange)
    PyPI-->>GH: Publish confirmed

Loading

_{Reviews (6): Last reviewed commit: "fix(ci): remove hardcoded actor guard — ..." | Re-trigger Greptile}

[joeVenner]

@greptile review

[joeVenner]

@greptile review

[joeVenner]

@greptile review

[joeVenner]

@greptile review

[joeVenner]

@greptile review