From 05b63d662d35653a0cbb63aef1edf43e8499e6a5 Mon Sep 17 00:00:00 2001
From: FBumann <117816358+FBumann@users.noreply.github.com>
Date: Tue, 24 Mar 2026 17:34:15 +0100
Subject: [PATCH] ci: decouple publish workflow from release-please
 workflow_call

The publish workflow now triggers only on tag push, removing the
workflow_call path. This fixes the PyPI trusted publishing failure
where the OIDC token claims didn't match because the workflow was
called from release.yaml rather than triggered directly by the tag.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yaml | 11 ++---------
 .github/workflows/release.yaml | 17 ++++-------------
 2 files changed, 6 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index fc44659ab..4eda00b1f 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -3,11 +3,6 @@ name: Publish
 on:
   push:
     tags: ["v*"]
-  workflow_call:
-    inputs:
-      tag:
-        required: true
-        type: string
 
 env:
   PYTHON_VERSION: "3.11"
@@ -24,7 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.tag || github.ref_name }}
+          ref: ${{ github.ref_name }}
           fetch-depth: 0
 
       - uses: astral-sh/setup-uv@v7
@@ -96,12 +91,10 @@ jobs:
           echo "Failed to verify PyPI installation"
           exit 1
         env:
-          TAG: ${{ inputs.tag || github.ref_name }}
+          TAG: ${{ github.ref_name }}
 
   github-release:
     name: Create GitHub release
-    # Only on tag push — release-please creates its own release via workflow_call
-    if: github.event_name == 'push'
     needs: verify-pypi
     runs-on: ubuntu-24.04
     permissions:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c73df4988..fa645246c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -30,20 +30,10 @@ jobs:
           config-file: .release-please-config.json
           manifest-file: .release-please-manifest.json
 
-  publish:
-    name: Publish
-    needs: release-please
-    if: needs.release-please.outputs.release_created
-    permissions:
-      id-token: write
-      contents: write
-    uses: ./.github/workflows/publish.yaml
-    with:
-      tag: ${{ needs.release-please.outputs.tag_name }}
-
   update-citation-date:
     name: Update CITATION.cff date
-    needs: publish
+    needs: release-please
+    if: needs.release-please.outputs.release_created
     runs-on: ubuntu-24.04
     steps:
       - name: Generate token for Release Bot
@@ -72,7 +62,8 @@ jobs:
 
   deploy-docs:
     name: Deploy documentation
-    needs: [release-please, publish]
+    needs: release-please
+    if: needs.release-please.outputs.release_created
     uses: ./.github/workflows/docs.yaml
     with:
       deploy: true