From 885771a37309cfc54f5e273fad8f4866da70a8a0 Mon Sep 17 00:00:00 2001
From: MultiMail <dev@multimail.dev>
Date: Sat, 27 Jun 2026 20:49:47 -0400
Subject: [PATCH] ci: tag-triggered PyPI publish via OIDC trusted publishing +
 bump 0.1.1 (GHST-860)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds .github/workflows/publish.yml — on a v* tag, builds and publishes to PyPI
using Trusted Publishing (OIDC; no stored token; id-token: write scoped to the
publish job; environment: pypi; actions SHA-pinned). Bumps version
0.1.0 -> 0.1.1 to prepare the first automated release.

Unfreezes the SDK (frozen at 0.1.0 since 2026-03-08 with no publish
automation). The actual publish is operator-gated on the one-time PyPI
trusted-publisher config + pushing the v0.1.1 tag.
---
 .github/workflows/publish.yml | 36 +++++++++++++++++++++++++++++++++++
 pyproject.toml                |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..9442358
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,36 @@
+name: Publish to PyPI
+
+# Tag-triggered release via PyPI Trusted Publishing (OIDC) — no stored token.
+# One-time setup (maintainer, on PyPI): add a Trusted Publisher for this package
+# (owner: multimail-dev, repo: <this repo>, workflow: publish.yml, environment: pypi).
+# Cut a release: bump `version` in pyproject.toml, commit, then `git tag vX.Y.Z && git push origin vX.Y.Z`.
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+    permissions:
+      id-token: write   # OIDC token for PyPI Trusted Publishing
+      contents: read
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
+        with:
+          python-version: '3.x'
+      - name: Build distributions
+        run: |
+          python -m pip install --upgrade build
+          python -m build
+      - name: Publish to PyPI (Trusted Publishing / OIDC)
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
diff --git a/pyproject.toml b/pyproject.toml
index 5ab6897..574e14f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "multimail"
-version = "0.1.0"
+version = "0.1.1"
 description = "Python SDK for the MultiMail API — email infrastructure for AI agents"
 readme = "README.md"
 license = "MIT"