From 655df4bc4d0c8407748daa8b8a59c01df60d2754 Mon Sep 17 00:00:00 2001
From: Raymond Lim <raylim@mm.st>
Date: Fri, 29 May 2026 15:04:03 -0400
Subject: [PATCH] ci: publish to PyPI on version tags via OIDC trusted
 publishing

Adds a 'publish' job that triggers on v* tags, waits for tests to pass,
builds the sdist + wheel, then uploads to PyPI using the pypa publish
action with OIDC trusted publishing (no stored API token needed).

Requires a 'pypi' GitHub Actions environment to be configured and a
trusted publisher entry added at:
https://pypi.org/manage/project/mussel-pathology/settings/publishing/

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8ead980e..5431a21e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,3 +38,28 @@ jobs:
           -m "not slow and not integration and not requires_tensorflow and not requires_fastattn" \
           --tb=short \
           -v
+
+  publish:
+    name: Build and publish to PyPI
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+
+    environment:
+      name: pypi
+      url: https://pypi.org/project/mussel-pathology/
+
+    permissions:
+      id-token: write  # required for trusted publishing (OIDC)
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+
+    - name: Build distribution
+      run: uv run --with build python -m build
+
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1