Tag-on-push (`v0.1.0` shape) builds the sdist+wheel, smoke-imports the
console-script entry point from a fresh venv to catch packaging
regressions, then uploads to PyPI via trusted publisher OIDC — no
API token in repo secrets.
Includes a tag-vs-pyproject version-match guard: aborts the publish
if the tag doesn't match `pyproject.toml`'s `version`. Cheap defense
against the failure mode where the tag advances but pyproject doesn't,
which silently re-publishes the same wheel under a new tag.
README's "Releasing" section walks through the one-time PyPI trusted-
publisher registration the operator must do once before the first
tagged push.
After this lands and the PyPI registration is complete, the codex tab
in the External Connect modal can switch from
pip install 'git+https://github.com/Molecule-AI/codex-channel-molecule.git'
to
pip install codex-channel-molecule
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dba5970177