ci: 🐛 publishing and building need to be split (#91)

# Description

PyPI Trusted Publishing doesn't yet support reusable workflows. So this
splits out the publishing step to this repo and workflow.

No review needed.

Author: lwjohnst86

.github/sync.yml

@@ -31,8 +31,8 @@ group:
         dest: .github/workflows/build-package.yml
       - source: .github/workflows/build-website.yml
         dest: .github/workflows/build-website.yml
-      - source: .github/workflows/update-version.yml
-        dest: .github/workflows/update-version.yml
+      - source: .github/workflows/release-package.yml
+        dest: .github/workflows/release-package.yml
       - source: .github/workflows/scorecards.yml
         dest: .github/workflows/scorecards.yml
       - source: .github/_project-dependabot.yml

.github/workflows/release-package.yml

@@ -0,0 +1,42 @@
+name: Release package
+
+on:
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  release-package:
+    # Only give permissions for this job.
+    permissions:
+      contents: write
+    uses: seedcase-project/.github/.github/workflows/reusable-release-package.yml@main
+    with:
+      app-id: ${{ vars.UPDATE_VERSION_APP_ID }}
+    secrets:
+      update-version-gh-token: ${{ secrets.UPDATE_VERSION_TOKEN }}
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    # Only give permissions for this job.
+    permissions:
+      # IMPORTANT: mandatory for trusted publishing.
+      id-token: write
+    environment:
+      name: pypi
+    needs:
+      - release-package
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: release-dists
+          path: dist/
+
+      - name: Publish 📦 to PyPI
+        # Only publish if the option is explicitly set in the calling workflow.
+        run: uv publish --trusted-publishing always