From 9d2bab9a384bb7f4f144a33a4c50cd241244375d Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Tue, 16 Jun 2026 07:15:57 +0200
Subject: [PATCH] fix: use build venv in Gitea publish workflow (PEP 668)

Haskelseed runner blocks system-wide pip installs. Create an isolated
.build-venv for build/twine and document workflow_dispatch API path.
---
 .gitea/workflows/publish-python-package.yml | 12 ++++++------
 docs/PACKAGE_RELEASE.md                     |  7 ++++++-
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/publish-python-package.yml b/.gitea/workflows/publish-python-package.yml
index f53dbd2..54988c9 100644
--- a/.gitea/workflows/publish-python-package.yml
+++ b/.gitea/workflows/publish-python-package.yml
@@ -26,11 +26,11 @@ jobs:
           TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
         run: |
           cd repo
-          python3 -m ensurepip --upgrade 2>/dev/null || \
-            curl -sS https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && python3 /tmp/get-pip.py
-          python3 -m pip install --upgrade pip build twine
-          python3 -m build
-          python3 -m twine check dist/*
-          python3 -m twine upload \
+          python3 -m venv .build-venv
+          . .build-venv/bin/activate
+          python -m pip install --upgrade pip build twine
+          python -m build
+          python -m twine check dist/*
+          python -m twine upload \
             --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
             dist/*
diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md
index 094de82..b036152 100644
--- a/docs/PACKAGE_RELEASE.md
+++ b/docs/PACKAGE_RELEASE.md
@@ -72,10 +72,15 @@ invalid. Do not commit tokens to the repository.
 
 Verify secrets without cutting a release:
 
-1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`)
+1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),
+   or dispatch via API:
+   `POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches`
+   with body `{"ref":"main"}`
 2. Confirm the run completes and `twine upload` succeeds
 3. Optional: `pip install kaizen-agentic==<version> --extra-index-url ...`
 
+The publish job uses an isolated `.build-venv` on the runner (PEP 668 safe).
+
 ## Pre-tag release checklist
 
 Before `git tag vX.Y.Z && git push origin vX.Y.Z`: