From a01d1d8f86a78865454bfed6d2335199adb7e858 Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@agents.moleculesai.app>
Date: Sat, 16 May 2026 18:45:26 -0700
Subject: [PATCH] ci(publish-runtime): add --verbose to twine upload to surface
 PyPI 403 reason body

The Publish to PyPI step ran `twine upload` without --verbose. On an HTTP
403, twine's default output prints only the bare status ("Forbidden") and
discards PyPI Warehouse's human-readable response body, which carries the
actual rejection reason (e.g. project-scoped token mismatch, yanked-name
collision, account state). During the internal#469 0.1.1003 publish block
the missing reason body made root-cause diagnosis impossible without
performing another real upload to the live package.

Adding --verbose makes twine log the HTTP request/response metadata and
the Warehouse error body in CI. It does NOT echo the credential: the
PyPI token is passed via --password and sent only in the Basic-Auth
Authorization header, which twine's verbose output does not dump.

Minimal change: single added flag on the existing twine upload
invocation; no other steps or behavior touched.

Refs: internal#469

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/publish-runtime.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitea/workflows/publish-runtime.yml b/.gitea/workflows/publish-runtime.yml
index c96307ab..665ca6bb 100644
--- a/.gitea/workflows/publish-runtime.yml
+++ b/.gitea/workflows/publish-runtime.yml
@@ -162,6 +162,7 @@ jobs:
             exit 1
           fi
           python -m twine upload \
+            --verbose \
             --repository pypi \
             --username __token__ \
             --password "$PYPI_TOKEN" \