Use PYPI_TOKEN secret for publish workflow

Switch from OIDC trusted publishing to API token auth, and accept
SemVer tags without the v prefix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: durable-workflow-ops

.github/workflows/publish.yml

@@ -3,7 +3,7 @@ name: Publish to PyPI
 on:
   push:
     tags:
-      - 'v*'
+      - '[0-9]+.[0-9]+.[0-9]+*'
   workflow_dispatch:
     inputs:
       dry_run:
@@ -14,7 +14,6 @@ on:
 
 permissions:
   contents: read
-  id-token: write  # Required for PyPI trusted publishing
 
 jobs:
   build:
@@ -44,10 +43,7 @@ jobs:
   publish:
     needs: build
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
-    environment:
-      name: pypi
-      url: https://pypi.org/p/durable-workflow
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -57,15 +53,13 @@ jobs:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
+          password: ${{ secrets.PYPI_TOKEN }}
           print-hash: true
 
   publish-test:
     needs: build
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' && !inputs.dry_run
-    environment:
-      name: testpypi
-      url: https://test.pypi.org/p/durable-workflow
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -75,5 +69,6 @@ jobs:
       - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
+          password: ${{ secrets.TEST_PYPI_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           print-hash: true