fix: use build venv in Gitea publish workflow (PEP 668)

Haskelseed runner blocks system-wide pip installs. Create an isolated
.build-venv for build/twine and document workflow_dispatch API path.

.gitea/workflows/publish-python-package.yml

@@ -26,11 +26,11 @@ jobs:
           TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
         run: |
           cd repo
-          python3 -m ensurepip --upgrade 2>/dev/null || \
-            curl -sS https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && python3 /tmp/get-pip.py
-          python3 -m pip install --upgrade pip build twine
-          python3 -m build
-          python3 -m twine check dist/*
-          python3 -m twine upload \
+          python3 -m venv .build-venv
+          . .build-venv/bin/activate
+          python -m pip install --upgrade pip build twine
+          python -m build
+          python -m twine check dist/*
+          python -m twine upload \
             --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
             dist/*

docs/PACKAGE_RELEASE.md

@@ -72,10 +72,15 @@ invalid. Do not commit tokens to the repository.
 
 Verify secrets without cutting a release:
 
-1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`)
+1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),
+   or dispatch via API:
+   `POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches`
+   with body `{"ref":"main"}`
 2. Confirm the run completes and `twine upload` succeeds
 3. Optional: `pip install kaizen-agentic==<version> --extra-index-url ...`
 
+The publish job uses an isolated `.build-venv` on the runner (PEP 668 safe).
+
 ## Pre-tag release checklist
 
 Before `git tag vX.Y.Z && git push origin vX.Y.Z`: