GitHubSecurityLab · Copilot · Apr 23, 2026 · Apr 23, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
@@ -0,0 +1,53 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Hatch
+        run: pip install --upgrade hatch
+
+      - name: Build distribution packages
+        run: hatch build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install --upgrade build
+
+      - name: Build distribution packages
+        run: python -Im build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install -r build-deps.in -c build-deps.txt
+
+      - name: Build distribution packages
+        run: python -Im build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install --requirement=build-deps.in --constraint=build-deps.txt
+
+      - name: Build distribution packages
+        env: 
+          PIP_CONSTRAINT: build-lock.txt
+        run: python -Im build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install --upgrade build
+
+      - name: Build distribution packages
+        run: python -Im build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install -r build-deps.in -c build-deps.txt
+
+      - name: Build distribution packages
+        run: python -Im build
-      - name: Install Hatch
-        run: pip install --upgrade hatch
-
-      - name: Build distribution packages
-        run: hatch build
+      - name: Install the build frontend
+        run: python -Im pip install --requirement=build-deps.in --constraint=build-deps.txt
+
+      - name: Build distribution packages
+        env: 
+          PIP_CONSTRAINT: build-lock.txt
+        run: python -Im build
+
+      - name: Upload distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-pypi:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/seclab-taskflow-agent
+    permissions:
+      id-token: write  # Required for OIDC trusted publishing
+
+    steps:
+      - name: Download distribution artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1