fix(ci): inline pypi publish jobs to satisfy trusted publishing

PyPI Trusted Publishing does not support reusable workflows — the
publish step must run directly in the calling workflow so the OIDC
token's job_workflow_ref matches the trusted publisher config.

Removed the reusable pypi-publish.yml and inlined its two jobs
(publish-test, publish-pypi) directly into publish.yml. Updated
notify-discord to depend on publish-pypi instead of the former
reusable publish job.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: LittleCoinCoin

.github/workflows/publish.yml

@@ -96,21 +96,83 @@ jobs:
           });
           EOF
 
-  publish:
-    name: Publish released package
+  publish-test:
+    name: Test released package
     needs: release
     if: ${{ needs.release.outputs.published == 'true' }}
-    uses: ./.github/workflows/pypi-publish.yml
-    with:
-      tag: ${{ needs.release.outputs.tag }}
-    secrets: inherit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.release.outputs.tag }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+
+      - name: Run import test
+        run: |
+          python -c "import hatch; print('Hatch package imports successfully')"
+
+  publish-pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: [release, publish-test]
+    if: ${{ needs.release.outputs.published == 'true' }}
+    outputs:
+      tag: ${{ steps.published_tag.outputs.tag }}
+    environment:
+      name: pypi
+      url: https://pypi.org/project/hatch-xclam/
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.release.outputs.tag }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+
+      - name: Build Python Package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true
+          verbose: true
+          skip-existing: true
+
+      - name: Record published tag
+        id: published_tag
+        run: |
+          echo "tag=${{ needs.release.outputs.tag }}" >> "$GITHUB_OUTPUT"
 
   notify-discord:
     name: Notify Discord
     needs:
       - release
-      - publish
-    if: ${{ needs.release.outputs.published == 'true' && needs.publish.result == 'success' }}
+      - publish-pypi
+    if: ${{ needs.release.outputs.published == 'true' && needs.publish-pypi.result == 'success' }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -119,7 +181,7 @@ jobs:
         id: release
         uses: actions/github-script@v8
         env:
-          TAG_NAME: ${{ needs.publish.outputs.tag }}
+          TAG_NAME: ${{ needs.publish-pypi.outputs.tag }}
         with:
           script: |
             const { data: release } = await github.rest.repos.getReleaseByTag({