feat: add PyPI publish workflow, release docs, and project metadata

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches: ["main", "copilot/**"]
   pull_request:
     branches: ["main"]
+  workflow_call:
 
 jobs:
   test:

.github/workflows/publish.yml

@@ -0,0 +1,35 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  ci:
+    name: "CI gate"
+    uses: ./.github/workflows/ci.yml
+
+  publish:
+    name: "Build & publish"
+    needs: ci
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read   # required for actions/checkout
+      id-token: write  # required for Trusted Publisher (OIDC)
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build sdist and wheel
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- PyPI publish workflow (`.github/workflows/publish.yml`) with Trusted Publisher (OIDC) (#37).
+- `RELEASE.md` documenting the full release process.
+- `[project.urls]` in `pyproject.toml` (Homepage, Repository, Documentation, Changelog).
+- Optional dependency groups: `mcp` and `otel` in `pyproject.toml`.
+
+### Changed
+- Renamed PyPI package from `agent-kernel` to `weaver-kernel` to align with Weaver ecosystem.
+- Added `workflow_call` trigger to CI workflow so publish workflow can reuse it as a gate.
+
 ## [0.2.0] - 2026-03-06
 
 ### Added

README.md

@@ -38,9 +38,11 @@ graph LR
 ## Quickstart
 
 ```bash
-pip install agent-kernel
+pip install weaver-kernel
 ```
 
+> **Note:** The PyPI package is `weaver-kernel` (Weaver ecosystem), but the Python import remains `agent_kernel`.
+
 ```python
 import asyncio, os
 os.environ["AGENT_KERNEL_SECRET"] = "my-secret"

RELEASE.md

@@ -0,0 +1,88 @@
+# Release Process
+
+This document describes how to publish a new version of `weaver-kernel` to PyPI.
+
+## Prerequisites
+
+- Push access to the `dgenio/agent-kernel` repository.
+- Trusted Publisher configured on PyPI for this repository
+  (see [Trusted Publisher setup](#trusted-publisher-setup) below).
+
+## Steps
+
+### 1. Bump the version
+
+Update the `version` field in `pyproject.toml`:
+
+```toml
+[project]
+version = "0.3.0"
+```
+
+### 2. Update the changelog
+
+Add a new section to `CHANGELOG.md` under `## [Unreleased]`, then rename it
+to the new version with today's date:
+
+```markdown
+## [0.3.0] - 2026-04-01
+
+### Added
+- ...
+
+### Fixed
+- ...
+```
+
+### 3. Commit and tag
+
+> **Important:** Tag only on `main` after the release commit is merged.
+> The publish workflow triggers on any `v*` tag push — tagging a non-main
+> commit would publish unreleased code.
+
+```bash
+git add pyproject.toml CHANGELOG.md
+git commit -m "release: v0.3.0"
+git tag v0.3.0
+git push origin main --tags
+```
+
+### 4. CI takes over
+
+Pushing the `v*` tag triggers `.github/workflows/publish.yml`, which:
+
+1. Runs the full CI suite (`make ci` equivalent) as a gate.
+2. Builds the sdist and wheel with `python -m build`.
+3. Publishes to PyPI using Trusted Publisher (OIDC — no API tokens stored).
+
+Monitor the workflow run at:
+<https://github.com/dgenio/agent-kernel/actions/workflows/publish.yml>
+
+### 5. Verify
+
+```bash
+pip install weaver-kernel==0.3.0
+```
+
+## Trusted Publisher Setup
+
+Trusted Publisher uses OpenID Connect (OIDC) so the GitHub Actions workflow can
+publish to PyPI without storing API tokens as secrets.
+
+To configure it (one-time setup):
+
+1. Go to <https://pypi.org/manage/project/weaver-kernel/settings/publishing/>.
+2. Add a new publisher:
+   - **Owner**: `dgenio`
+   - **Repository**: `agent-kernel`
+   - **Workflow name**: `publish.yml`
+   - **Environment**: `pypi`
+3. Save. The `publish.yml` workflow will now authenticate automatically.
+
+## Version scheme
+
+This project follows [Semantic Versioning](https://semver.org/):
+
+- **PATCH** (0.2.x): bug fixes, documentation updates.
+- **MINOR** (0.x.0): new features, backward-compatible changes.
+- **MAJOR** (x.0.0): breaking API changes.

pyproject.toml

@@ -3,7 +3,7 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [project]
-name = "agent-kernel"
+name = "weaver-kernel"
 version = "0.2.0"
 description = "Capability-based security kernel for AI agents operating in large tool ecosystems"
 readme = "README.md"
@@ -24,6 +24,12 @@ classifiers = [
 ]
 dependencies = ["httpx>=0.27"]
 
+[project.urls]
+Homepage = "https://github.com/dgenio/agent-kernel"
+Repository = "https://github.com/dgenio/agent-kernel"
+Documentation = "https://github.com/dgenio/agent-kernel/tree/main/docs"
+Changelog = "https://github.com/dgenio/agent-kernel/blob/main/CHANGELOG.md"
+
 [project.optional-dependencies]
 dev = [
     "pytest>=8.0",
@@ -33,6 +39,8 @@ dev = [
     "mypy>=1.10",
     "httpx>=0.27",
 ]
+mcp = ["mcp>=1.0"]
+otel = ["opentelemetry-api>=1.20"]
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/agent_kernel"]