Add GitHub Actions workflows for PyPI publishing

- Add trusted publisher workflow for PyPI releases
- Add test workflow for TestPyPI
- Add publishing documentation

Author: mkbabb

.github/PUBLISHING.md

@@ -0,0 +1,69 @@
+# Publishing Setup
+
+This project uses GitHub Actions with PyPI's trusted publishers for secure, automated publishing.
+
+## Setup Instructions
+
+### 1. Configure PyPI Trusted Publisher
+
+Go to https://pypi.org/manage/project/googleapiutils2/settings/publishing/ and add a new GitHub publisher:
+
+- **Owner**: mkbabb (or your GitHub username/org)
+- **Repository name**: googleapiutils2
+- **Workflow name**: publish.yml
+- **Environment name**: release (recommended for security)
+
+### 2. Configure TestPyPI Trusted Publisher (Optional)
+
+For testing, configure the same on https://test.pypi.org/:
+
+- **Owner**: mkbabb
+- **Repository name**: googleapiutils2
+- **Workflow name**: test-publish.yml
+- **Environment name**: (leave empty for test)
+
+### 3. Create GitHub Environment (Recommended)
+
+In your GitHub repository settings:
+
+1. Go to Settings → Environments
+2. Create a new environment called "release"
+3. Add protection rules:
+   - Required reviewers (optional)
+   - Restrict deployment branches to main/master
+
+## Usage
+
+### Automatic Publishing
+
+1. Create a new release on GitHub
+2. The workflow will automatically:
+   - Build the package with UV
+   - Publish to PyPI using trusted publishing
+
+### Manual Publishing
+
+Run the workflow manually from Actions tab → Publish to PyPI → Run workflow
+
+### Test Publishing
+
+Every push to master/main automatically publishes to TestPyPI for testing.
+
+## Local Publishing (Emergency Only)
+
+If GitHub Actions fails, you can publish locally:
+
+```bash
+# Build
+uv build
+
+# Publish with API token
+uv publish --token <your-token>
+```
+
+## Benefits of Trusted Publishing
+
+- No API tokens stored in GitHub secrets
+- Automatic OIDC authentication
+- More secure than password/token auth
+- Audit trail in both GitHub and PyPI

.github/workflows/publish.yml

@@ -0,0 +1,33 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # Required for trusted publishing
+    
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    
+    - name: Install uv
+      uses: astral-sh/setup-uv@v3
+      with:
+        enable-cache: true
+    
+    - name: Build package
+      run: uv build
+    
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/test-publish.yml

@@ -0,0 +1,43 @@
+name: Test Publish to TestPyPI
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+  workflow_dispatch:
+
+jobs:
+  test-publish:
+    name: Test Publish to TestPyPI
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for trusted publishing
+    
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+    
+    - name: Install uv
+      uses: astral-sh/setup-uv@v3
+      with:
+        enable-cache: true
+    
+    - name: Install dependencies
+      run: uv sync
+    
+    - name: Run tests
+      run: uv run pytest
+      continue-on-error: true  # Don't fail if no tests
+    
+    - name: Build package
+      run: uv build
+    
+    - name: Publish to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/