chore(ci): rename release.yml → publish.yml to match PyPI Trusted Publisher (#638)

PyPI's Trusted Publisher config keys trust on the workflow filename.
The repo had the workflow as `release.yml`, but the owner just
configured the PyPI trusted publisher with the canonical
`publish.yml` name (clearer — the workflow IS about publishing to
PyPI, not about "the release"). Aligning the file with PyPI's config
so OIDC uploads succeed; otherwise PyPI rejects the OIDC token from a
workflow whose filename doesn't match the trust.

Refresh:
- `name:` field `release` → `publish` so the GitHub Actions UI label
  matches the file.
- In-file one-time-setup comment now says `Workflow: publish.yml`.
- `.github/workflows/README.md` and `SECURITY.md` references updated.
- `ci.yml`'s pin-rationale comment now lists `publish.yml` instead of
  `release.yml`.

No behaviour change beyond the trust-name alignment; the workflow's
SHA-pinned actions, idempotency guard, OIDC permissions and
testpypi/pypi dispatch options are unchanged.

Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/workflows/README.md

@@ -13,7 +13,7 @@ GitHub Actions workflows for django-admin-react.
   checks **required** is an owner branch-protection action (#452 / #331).
 - **`codeql.yml`** — CodeQL static analysis (Python + JS/TS) on push/PR and a
   weekly schedule. This is the project's security dataflow scanner.
-- **`release.yml`** — automated PyPI publishing. Triggered when a GitHub
+- **`publish.yml`** — automated PyPI publishing. Triggered when a GitHub
   Release is **published** (a human authorises every release; the Release
   notes are the changelog entry), or manually via `workflow_dispatch` for a
   TestPyPI dry-run. Uses **PyPI Trusted Publishing (OIDC)** — no stored

.github/workflows/ci.yml

@@ -24,7 +24,7 @@
 # SECURITY POSTURE:
 #   - Least-privilege: top-level `contents: read`; no job needs write.
 #   - All third-party actions are pinned to a full commit SHA (a tag can
-#     be moved, a SHA cannot) — consistent with codeql.yml / release.yml
+#     be moved, a SHA cannot) — consistent with codeql.yml / publish.yml
 #     and the supply-chain hardening in #331.
 #   - This is a *gate*, not a publisher: it has no access to PyPI, no
 #     `id-token`, and no stored secrets.

.github/workflows/release.yml .github/workflows/publish.yml.github/workflows/release.yml renamed to .github/workflows/publish.yml

@@ -1,4 +1,4 @@
-name: release
+name: publish
 
 # Automated PyPI publishing for django-admin-react.
 #
@@ -37,7 +37,7 @@ name: release
 #      "Trusted Publisher":
 #        Owner:        MartinCastroAlvarez
 #        Repository:   django-admin-react
-#        Workflow:     release.yml
+#        Workflow:     publish.yml
 #        Environment:  pypi
 #   2. GitHub → repo Settings → Environments → create `pypi` (optionally
 #      add required reviewers so a release is approval-gated), and

SECURITY.md

@@ -182,7 +182,7 @@ Every endpoint added must include all of these tests before merging:
   (`POETRY_PYPI_TOKEN_PYPI`), never in any file in the repo. The token
   is **never** echoed or logged by `scripts/deploy.sh`.
 - Releases require a **human maintainer**. The publish is driven by the
-  `release.yml` workflow (OIDC Trusted Publishing — no stored token);
+  `publish.yml` workflow (OIDC Trusted Publishing — no stored token);
   the maintainer triggers it by publishing a GitHub Release.
 - TestPyPI may be used for verification by the maintainer with a
   separate token; same hygiene rules apply.