Sync release workflow with rhiza branch copilot/extend-release-to-aws-codeartifact

[Copilot]

Points dummyrepo at the rhiza branch that extends the release pipeline with AWS CodeArtifact support, to validate the publishing mechanism — specifically that Private :: Do Not Upload correctly gates PyPI publication.

Changes

• .rhiza/template.yml: ref v0.8.16 → copilot/extend-release-to-aws-codeartifact
• .github/workflows/rhiza_release.yml: Synced with upstream branch
  • Private package check now respects custom feeds: Private :: Do Not Upload only blocks when PYPI_REPOSITORY_URL is unset
  • New CodeArtifact token exchange step: auto-detects *.codeartifact.* URLs, parses domain/region/owner, fetches temp auth token via AWS CLI
  • Publish step uses dynamic user/password from CodeArtifact or falls back to __token__/PYPI_TOKEN

Publishing behavior

PYPI_REPOSITORY_URL	Private :: Do Not Upload	Publishes?
(empty)	No	✅ PyPI
(empty)	Yes	❌ Blocked
CodeArtifact URL	Yes	✅ Custom feed
Custom URL	No	✅ Custom feed

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Test functionality on rhiza branch</issue_title>
<issue_description>can you point dummyrepo at this to test publishing mechanism still works. E..g PRIVATE is not publishing?

https://github.com/Jebel-Quant/rhiza/tree/copilot/extend-release-to-aws-codeartifact

@HarryCampion </issue_description>

<agent_instructions>please verify </agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Test functionality on rhiza branch #86

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

[markrichardson]

@HarryCampion ... does this verify what you were looking for?

[HarryCampion]

@markrichardson I think if PRIVATE:: Do Not Upload is in the pyproject.toml then it shouldn't upload at all.

[HarryCampion]

@markrichardson maybe this is a non-issue with the change that @tschm put in for private hatch builds?