# Python Package Release

`kaizen-agentic` publishes as the `kaizen-agentic` Python package on the Coulomb
Gitea PyPI registry. Public [pypi.org](https://pypi.org/) distribution is optional
and not required for ecosystem use.

## Install (consumers)

Dependencies such as `pyyaml` resolve from public PyPI. Use Gitea as an extra index:

```bash
export GITEA_PACKAGE_USER=<gitea-user>
export GITEA_PACKAGE_TOKEN=<package-token>

pip install kaizen-agentic \
  --extra-index-url "https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"
```

Global CLI via pipx:

```bash
pipx install kaizen-agentic \
  --pip-args="--extra-index-url https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"
```

Do not commit tokenized index URLs. Inject credentials via environment variables or
CI secrets.

## Local Release

Build and validate artifacts:

```bash
make package-check
```

Publish to the Coulomb organization registry:

```bash
TWINE_USERNAME=<gitea-user> \
TWINE_PASSWORD=<package-token> \
make publish-gitea
```

Package upload endpoint:

```text
https://gitea.coulomb.social/api/packages/coulomb/pypi
```

Consumer simple index:

```text
https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/
```

## Gitea repository secrets (one-time)

Configure in Gitea: **Repository → Settings → Actions → Secrets**.

| Secret | Value |
|--------|-------|
| `GITEA_PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
| `GITEA_PACKAGE_TOKEN` | Gitea API token with `write:package` scope |

The publish workflow fails at the upload step when either secret is missing or
invalid. Do not commit tokens to the repository.

Verify secrets without cutting a release:

1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`)
2. Confirm the run completes and `twine upload` succeeds
3. Optional: `pip install kaizen-agentic==<version> --extra-index-url ...`

## Pre-tag release checklist

Before `git tag vX.Y.Z && git push origin vX.Y.Z`:

- [ ] `make release-check` passes (tests, flake8, version consistency, agent parity)
- [ ] `make package-check` builds and validates `dist/*`
- [ ] `CHANGELOG.md` has a dated `[X.Y.Z]` section matching `pyproject.toml`
- [ ] `GITEA_PACKAGE_USER` and `GITEA_PACKAGE_TOKEN` secrets are set
- [ ] Publish workflow smoke-tested via `workflow_dispatch` (or prior tag release)
- [ ] `make agents-sync-package` run if `agents/` changed since last release

## Gitea Actions Release

The `.gitea/workflows/publish-python-package.yml` workflow publishes on tags
matching `v*`.

Example:

```bash
git tag v1.2.0
git push origin v1.2.0
```

## Public PyPI (optional)

When pypi.org credentials are configured (`~/.pypirc` or `TWINE_PASSWORD` API
token with `TWINE_USERNAME=__token__`):

```bash
make release-publish
python -m twine upload dist/*
```