Switch PyPI publish workflow to Trusted Publishing

[bmdhodl]

Summary

The v1.2.3 publish succeeded, but the publish workflow emitted this warning:

The workflow was run with the attestations: true input, but an explicit password was also set, disabling Trusted Publishing. As a result, the attestations input is ignored.

Why this matters

We are already generating build provenance, but PyPI attestations are not actually being used while the workflow authenticates with PYPI_TOKEN. Moving to Trusted Publishing would reduce secret management risk and make the attestation path real instead of nominal.

Acceptance Criteria

• Configure Trusted Publishing for agentguard47 on PyPI
• Remove token-password auth from .github/workflows/publish.yml
• Enable real attestations in the publish step
• Verify the next release publishes successfully with Trusted Publishing

Reference

Publish run: 23689048521

[bmdhodl]

Confirmed again during the �1.2.4 publish run (23830974932). GitHub Actions emitted these Trusted Publishing annotations:\n\n- A new Trusted Publisher for the currently running publishing workflow can be created ...\n- The workflow was run with the 'attestations: true' input, but an explicit password was also set, disabling Trusted Publishing.\n\nSo this is still active and still directly observable on the current publish path. Switching publish.yml to Trusted Publishing would remove this release-time warning and align the attestation path with the actual auth model.

[bmdhodl]

Repo-side prep is now merged via PR #359.

What changed:

• the publish workflow now targets the GitHub environment pypi
• the pypi environment has been created in the repo
• the workflow comment now records the exact Trusted Publisher tuple PyPI needs:
  • owner: bmdhodl
  • repo: agent47
  • workflow: .github/workflows/publish.yml
  • environment: pypi

I intentionally did not remove password: ${{ secrets.PYPI_TOKEN }} yet. Current proof still shows the external PyPI-side publisher is not configured:

• latest publish run 23967091065 still says A new Trusted Publisher ... can be created
• the same run says explicit password disables Trusted Publishing
• current agentguard47 uploads on PyPI are still token-based, not Trusted Publishing uploads

Remaining blocker:
An owner of the agentguard47 project on PyPI needs to add the Trusted Publisher for that exact workflow tuple. After that, this issue can be finished by removing password, adding attestations: true, and validating the next tagged release.

[bmdhodl]

Re-triaged during the 2026-05-02 open-issues pass. Still intentionally deferred: this requires PyPI project-admin Trusted Publisher setup before the repo can safely remove token-password auth. Leaving open with deferred:phase-2; not an SDK code change.

[bmdhodl]

Repo-side Trusted Publishing work is now merged via PR #422. The publish workflow no longer uses \PYPI_TOKEN, uses the \pypi\ GitHub environment, and enables \�ttestations: true. Leaving this issue open for the remaining acceptance criterion that requires the next tag release to verify PyPI Trusted Publishing provenance and attestations after the PyPI project owner configures the trusted publisher tuple.