docs: record publish workflow smoke-test outcome (WP-0005 T02)

Document workflow_dispatch run #17: build passes with .build-venv; twine
upload 401 indicates PACKAGE_USER/PACKAGE_TOKEN secrets need verification.

docs/PACKAGE_RELEASE.md

@@ -70,6 +70,12 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
+**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
+`twine check`; upload returned `401 Unauthorized`. That indicates
+`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
+include `write:package`, username must match the token owner). Build step uses
+`.build-venv` and is PEP 668 safe on haskelseed.
+
 Verify secrets without cutting a release:
 
 1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),