From 779262d6b771ff40953aa800321192429d01c1ae Mon Sep 17 00:00:00 2001
From: dgenio <diogo.ansantos@nos.pt>
Date: Sun, 8 Mar 2026 17:55:03 +0000
Subject: [PATCH 1/5] feat: add PyPI publish workflow, release docs, and
 project metadata (#37)

- Add .github/workflows/publish.yml with Trusted Publisher (OIDC)

- Add workflow_call trigger to ci.yml for reuse as publish gate

- Add RELEASE.md documenting the full release process

- Add [project.urls] to pyproject.toml

- Add mcp and otel optional dependency groups

- Rename PyPI package to weaver-kernel (Weaver ecosystem alignment)

Closes #37
---
 .github/workflows/ci.yml      |  1 +
 .github/workflows/publish.yml | 34 ++++++++++++++
 CHANGELOG.md                  | 10 +++++
 README.md                     |  2 +-
 RELEASE.md                    | 84 +++++++++++++++++++++++++++++++++++
 pyproject.toml                | 10 ++++-
 6 files changed, 139 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/publish.yml
 create mode 100644 RELEASE.md

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 27613b8..a2889bd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ on:
     branches: ["main", "copilot/**"]
   pull_request:
     branches: ["main"]
+  workflow_call:
 
 jobs:
   test:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..5ff72d3
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,34 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  ci:
+    name: "CI gate"
+    uses: ./.github/workflows/ci.yml
+
+  publish:
+    name: "Build & publish"
+    needs: ci
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write  # required for Trusted Publisher (OIDC)
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build sdist and wheel
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8789e84..3788a9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- PyPI publish workflow (`.github/workflows/publish.yml`) with Trusted Publisher (OIDC) (#37).
+- `RELEASE.md` documenting the full release process.
+- `[project.urls]` in `pyproject.toml` (Homepage, Repository, Documentation, Changelog).
+- Optional dependency groups: `mcp` and `otel` in `pyproject.toml`.
+
+### Changed
+- Renamed PyPI package from `agent-kernel` to `weaver-kernel` to align with Weaver ecosystem.
+- Added `workflow_call` trigger to CI workflow so publish workflow can reuse it as a gate.
+
 ## [0.2.0] - 2026-03-06
 
 ### Added
diff --git a/README.md b/README.md
index 7fb1600..9c5b118 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ graph LR
 ## Quickstart
 
 ```bash
-pip install agent-kernel
+pip install weaver-kernel
 ```
 
 ```python
diff --git a/RELEASE.md b/RELEASE.md
new file mode 100644
index 0000000..ce4b3dd
--- /dev/null
+++ b/RELEASE.md
@@ -0,0 +1,84 @@
+# Release Process
+
+This document describes how to publish a new version of `weaver-kernel` to PyPI.
+
+## Prerequisites
+
+- Push access to the `dgenio/agent-kernel` repository.
+- Trusted Publisher configured on PyPI for this repository
+  (see [Trusted Publisher setup](#trusted-publisher-setup) below).
+
+## Steps
+
+### 1. Bump the version
+
+Update the `version` field in `pyproject.toml`:
+
+```toml
+[project]
+version = "0.3.0"
+```
+
+### 2. Update the changelog
+
+Add a new section to `CHANGELOG.md` under `## [Unreleased]`, then rename it
+to the new version with today's date:
+
+```markdown
+## [0.3.0] - 2026-04-01
+
+### Added
+- ...
+
+### Fixed
+- ...
+```
+
+### 3. Commit and tag
+
+```bash
+git add pyproject.toml CHANGELOG.md
+git commit -m "release: v0.3.0"
+git tag v0.3.0
+git push origin main --tags
+```
+
+### 4. CI takes over
+
+Pushing the `v*` tag triggers `.github/workflows/publish.yml`, which:
+
+1. Runs the full CI suite (`make ci` equivalent) as a gate.
+2. Builds the sdist and wheel with `python -m build`.
+3. Publishes to PyPI using Trusted Publisher (OIDC — no API tokens stored).
+
+Monitor the workflow run at:
+<https://github.com/dgenio/agent-kernel/actions/workflows/publish.yml>
+
+### 5. Verify
+
+```bash
+pip install weaver-kernel==0.3.0
+```
+
+## Trusted Publisher Setup
+
+Trusted Publisher uses OpenID Connect (OIDC) so the GitHub Actions workflow can
+publish to PyPI without storing API tokens as secrets.
+
+To configure it (one-time setup):
+
+1. Go to <https://pypi.org/manage/project/weaver-kernel/settings/publishing/>.
+2. Add a new publisher:
+   - **Owner**: `dgenio`
+   - **Repository**: `agent-kernel`
+   - **Workflow name**: `publish.yml`
+   - **Environment**: `pypi`
+3. Save. The `publish.yml` workflow will now authenticate automatically.
+
+## Version scheme
+
+This project follows [Semantic Versioning](https://semver.org/):
+
+- **PATCH** (0.2.x): bug fixes, documentation updates.
+- **MINOR** (0.x.0): new features, backward-compatible changes.
+- **MAJOR** (x.0.0): breaking API changes.
diff --git a/pyproject.toml b/pyproject.toml
index ef4babe..325794b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -3,7 +3,7 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [project]
-name = "agent-kernel"
+name = "weaver-kernel"
 version = "0.2.0"
 description = "Capability-based security kernel for AI agents operating in large tool ecosystems"
 readme = "README.md"
@@ -24,6 +24,12 @@ classifiers = [
 ]
 dependencies = ["httpx>=0.27"]
 
+[project.urls]
+Homepage = "https://github.com/dgenio/agent-kernel"
+Repository = "https://github.com/dgenio/agent-kernel"
+Documentation = "https://github.com/dgenio/agent-kernel/tree/main/docs"
+Changelog = "https://github.com/dgenio/agent-kernel/blob/main/CHANGELOG.md"
+
 [project.optional-dependencies]
 dev = [
     "pytest>=8.0",
@@ -33,6 +39,8 @@ dev = [
     "mypy>=1.10",
     "httpx>=0.27",
 ]
+mcp = ["mcp>=1.0"]
+otel = ["opentelemetry-api>=1.20"]
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/agent_kernel"]

From 168731c1caff1c3b5f9da983542d247e951400b3 Mon Sep 17 00:00:00 2001
From: dgenio <diogo.ansantos@nos.pt>
Date: Mon, 9 Mar 2026 05:27:02 +0000
Subject: [PATCH 2/5] fix: add contents:read permission to publish job

---
 .github/workflows/publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5ff72d3..15b79e6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: pypi
     permissions:
+      contents: read   # required for actions/checkout
       id-token: write  # required for Trusted Publisher (OIDC)
     steps:
       - uses: actions/checkout@v4

From 7a58dcf28b2e8b756326cfb53540f605f493eb62 Mon Sep 17 00:00:00 2001
From: dgenio <diogo.ansantos@nos.pt>
Date: Mon, 9 Mar 2026 05:29:02 +0000
Subject: [PATCH 3/5] docs: clarify PyPI vs import name in README Quickstart

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 9c5b118..0205b20 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,8 @@ graph LR
 pip install weaver-kernel
 ```
 
+> **Note:** The PyPI package is `weaver-kernel` (Weaver ecosystem), but the Python import remains `agent_kernel`.
+
 ```python
 import asyncio, os
 os.environ["AGENT_KERNEL_SECRET"] = "my-secret"

From ed8a8294ca084bd5b3d0b809b2acc24315235978 Mon Sep 17 00:00:00 2001
From: dgenio <diogo.ansantos@nos.pt>
Date: Mon, 9 Mar 2026 05:36:19 +0000
Subject: [PATCH 4/5] fix: pin GitHub Actions to commit SHAs in publish
 workflow

---
 .github/workflows/publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 15b79e6..09baafa 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -18,10 +18,10 @@ jobs:
       contents: read   # required for actions/checkout
       id-token: write  # required for Trusted Publisher (OIDC)
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
           python-version: "3.12"
 
@@ -32,4 +32,4 @@ jobs:
         run: python -m build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0

From eb1ab12a141337af1938af6fef39c2e20927dfdd Mon Sep 17 00:00:00 2001
From: dgenio <diogo.ansantos@nos.pt>
Date: Mon, 9 Mar 2026 05:39:46 +0000
Subject: [PATCH 5/5] docs: add tagging safety note in RELEASE.md step 3

---
 RELEASE.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/RELEASE.md b/RELEASE.md
index ce4b3dd..e4cbf21 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -36,6 +36,10 @@ to the new version with today's date:
 
 ### 3. Commit and tag
 
+> **Important:** Tag only on `main` after the release commit is merged.
+> The publish workflow triggers on any `v*` tag push — tagging a non-main
+> commit would publish unreleased code.
+
 ```bash
 git add pyproject.toml CHANGELOG.md
 git commit -m "release: v0.3.0"