Post-2026-05-06 PyPI Trusted-Publisher OIDC is dead for our repos — PyPI
only accepts GitHub/GitLab/Google/ActiveState issuers, not Gitea. This PR:
1. Renames .github/workflows/{ci,publish}.yml -> .gitea/workflows/. (Gitea
Actions reads .gitea/ exclusively on this repo; the .github/ path was
silently dead since the migration — saved memory
reference_molecule_core_actions_gitea_only.)
2. Replaces `pypa/gh-action-pypi-publish` (which requires OIDC id-token
exchange that PyPI rejects from Gitea) with `python -m twine upload
--username __token__ --password "$PYPI_TOKEN"`. Mirrors the canonical
pattern in molecule-core/.gitea/workflows/publish-runtime.yml that has
been shipping successfully since 2026-05-11.
3. Drops `permissions: id-token: write` (no longer needed without OIDC).
4. Adds `twine check` to the build step (catches metadata regressions
before upload).
5. Adds concurrency group to serialize tag-driven publishes.
6. Updates README "Releasing" section to describe the twine+SSOT model
and link to the operator-config rotation runbook.
The PYPI_TOKEN secret is fanned out to this repo from the operator-host
SSOT by /opt/molecule-bootstrap/sync-pypi-token.sh — see operator-config
PR#48. It supersedes PR#4 (which only renamed .github -> .gitea without
fixing the OIDC issue) and unblocks the pushed v0.1.3 tag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
