fix(ci): correct malformed uv publish command in release workflows

[BnJam]

Closes #76

Summary

Fixed the broken uv publish commands in both release.yml and tag-release.yml:

• Removed the unused pip install maturin step before publish
• Replaced malformed uv publish dist --token ... *.whl *.tar.gz **/*.whl **/*.tar.gz dist/* with correct uv publish dist/* --token ...

[BnJam]

Summary

This PR fixes a malformed uv publish command in both release.yml and tag-release.yml. The original command passed a directory name (dist) alongside bare glob patterns (*.whl, **/*.tar.gz, etc.) in a way that uv publish would mishandle — the shell would expand the globs relative to the working directory rather than restricting to dist/, and the positional dist directory arg was not useful to the tool. The fix uses dist/* which shell-globs only files inside the dist/ directory. It also removes an unused pip install maturin step and stale commented-out code.

Findings

[Minor] .github/workflows/release.yml:232 — The commented-out pypi-publish fallback job block (lines 233–259) is retained after the fix. Consider removing it entirely in a follow-up to avoid confusion about which publish path is active. This is cosmetic and does not block the PR.

[Minor] .github/workflows/tag-release.yml:96 — The tag-release.yml publish step uses uv publish dist/* --token ... without the find dist -type f ... -exec mv {} dist/ \; flattening step that release.yml has at line 221. If artifacts in tag-release.yml are also nested in subdirectories, dist/* may miss some. This is pre-existing (the flatten step was added to release.yml after tag-release.yml diverged) and is not introduced by this PR. Something to be aware of.

Verdict

APPROVE — The diff is minimal, correct, and fixes a real bug in a CI command. No security or correctness concerns introduced.

[BnJam]

Summary

Fixes two malformed uv publish commands in release.yml and tag-release.yml. The old commands appended trailing glob patterns (*.whl dist/* etc.) after the --token flag, which is incorrect syntax. The fix replaces them with the correct uv publish dist/* --token ... form. Also removes an unused pip install maturin step and cleans up commented-out code.

Findings

• [Correctness] The old uv publish command in release.yml was:

  uv publish dist --token $TOKEN *.whl *.tar.gz **/*.whl **/*.tar.gz dist/*
  

  This passes dist as the path argument, then *.whl etc. as additional positional files after the --token value — likely a copy-paste or command-building artifact that would not work as intended. The replacement uv publish dist/* --token $TOKEN is the correct form.

• [Correctness] In tag-release.yml, the same pattern uv publish dist --token $TOKEN *.whl dist/* is fixed to uv publish dist/* --token $TOKEN.

• [Minor] The removal of the pip install maturin step is appropriate since the workflow uses uv publish, not maturin publish. Good cleanup.

• [Minor] Dropping the old MATURIN_PYPI_TOKEN env var and commented maturin publish block reduces confusion. The token is correctly passed via --token.

No test coverage concerns — this changes only CI workflow YAML. Readability and maintainability are improved.

Verdict

APPROVE — Straightforward CI fix that corrects malformed publish commands and removes dead code. No security, correctness, or maintainability concerns.

[BnJam]

Summary

This PR fixes malformed uv publish commands in both release workflow files. The old commands passed dist as a positional argument followed by glob patterns, which uv publish does not accept correctly. The fix replaces them with the canonical uv publish dist/* --token ... form. Dead/commented-out maturin-based publish steps are also cleaned up.

Findings

[Minor] .github/workflows/release.yml:231-238 — The indentation of the uv publish step still uses 6-space indent ( - name:) while the surrounding file may use 4-space. This is inconsistent but cosmetic and matches the existing file style. No action required.

Verdict

APPROVE — Correct, well-scoped fix that resolves the broken publish command without introducing any issues.

[BnJam]

Summary

This PR fixes malformed uv publish commands in both release.yml and tag-release.yml. The old command incorrectly passed extra glob patterns (*.whl *.tar.gz **/*.whl **/*.tar.gz dist/*) after the positional directory argument, which uv publish does not accept. It also removes an unused pip install maturin step and cleans up dead commented-out code.

Findings

[Minor] .github/workflows/release.yml:234-238 — Good hygiene: removing the unused pip install maturin step and dead commented-out code. No issues.

[Minor] .github/workflows/release.yml:239 → .github/workflows/release.yml:231 — The corrected command uv publish dist/* --token ... is the proper syntax. uv publish expects a glob/directory path, not ad-hoc positional globs. No issues.

[Minor] .github/workflows/tag-release.yml:96 → .github/workflows/tag-release.yml:96 — Same fix applied consistently. No issues.

Verdict

APPROVE — Straightforward, correct fix for a broken CI publish command. No security concerns.

[BnJam]

technocore review via pipeline code-review:

Phase 1 — Security Gate

Reviewed the diff for malicious patterns:

Pattern	Present?
Credential/secret exfiltration	No
Backdoors / reverse shells	No
Supply chain attacks	No
CI/CD tampering (malicious)	No
Obfuscated code	No

The ${{ secrets.MATURIN_PYPI_TOKEN }} is a standard GitHub Actions expression used for its intended purpose. No exfiltration, no shell injection, no encoded payloads.

Security verdict: CLEAN — proceeding to code review.

---

Phase 2 — Code Review

Summary: This PR fixes malformed uv publish commands in both release.yml and tag-release.yml. The old commands mixed shell globs (.whl, *.tar.gz, **/*.whl) from the repo root alongside a dist directory argument, which wouldn't expand correctly. The fix simplifies to uv publish dist/* --token ..., which shell-expands to all distribution files directly inside dist/. Dead code (commented-out maturin publish block, unused pip install maturin step) is also removed. The changes are correct and minimal.

Findings:

[Minor] .github/workflows/tag-release.yml:85 — The Find and Move Wheels to root step only moves .whl files, not .tar.gz. Since the tag-release.yml builds do not pass --sdist, this is currently harmless. However, if --sdat is ever added to builds in the tag-release workflow, source distributions would not be moved to dist/ root and the new dist/* glob would miss them. This is a pre-existing limitation, not introduced by this PR, but worth noting for future maintenance.

No correctness, security, or maintainability issues introduced by this PR. The diff is clean and focused.

Verdict: APPROVE — The change correctly resolves the malformed command described in #76, and simplifies the workflow without introducing regressions.

[BnJam]

Summary

This PR fixes malformed uv publish commands in both release.yml and tag-release.yml by removing incorrect positional glob arguments and replacing them with the proper dist/* file pattern syntax. It also removes an unused pip install maturin step that was left over from an earlier workflow iteration.

Findings

[Severity: Minor] .github/workflows/release.yml:232, .github/workflows/tag-release.yml:96 — The dist/* shell glob could fail to match any files if the artifact flattening step above it (e.g. line 221) does not produce any artifacts. In practice this is unlikely because the preceding build steps always produce wheels/sdists, but consider wrapping the pattern with ls dist/ or checking existence in a prior step if flakiness is observed. This is pre-existing behavior, not introduced by this patch.

All other aspects of the diff are correct:

• Removing pip install maturin is appropriate since uv publish does not require maturin.
• astral-sh/setup-uv@v3 (line 223–224) provides uv, so the uv publish command will be available.
• The secret reference ${{ secrets.MATURIN_PYPI_TOKEN }} is used correctly via GitHub's expression syntax — no hardcoded tokens.
• The removal of commented-out maturin publish code is a welcome cleanup.

Verdict

APPROVE — The PR is a simple, correct fix that addresses the broken CI commands described in #76 with no security concerns or logic errors.

[BnJam]

Summary

Fixes two malformed uv publish commands in release workflows where literal globs (*.whl, **/*.tar.gz, etc.) were being passed as positional arguments after --token. The old command would have failed because uv publish interprets those globs as path arguments while also receiving dist — muddying the intent. The fix uses dist/* (shell-expanded) which is the correct way to publish all artifacts from the dist directory.

Findings

[Minor] .github/workflows/release.yml:231 — The pip install maturin step was correctly removed since uv publish does not need Maturin installed. Good cleanup of dead commented-out code as well.

[Minor] .github/workflows/release.yml:234 / .github/workflows/tag-release.yml:96 — Both commands are corrected from the broken multi-glob form to uv publish dist/* --token .... This is the correct invocation.

No correctness, security, or maintainability issues.

Verdict

APPROVE — Straightforward fix for a broken CI command. Corrects both release workflows to use the proper uv publish syntax and cleans up stale dead-code comments.

[BnJam]

technocore review via pipeline code-review:

Merged PR #77.