feat: add PyPI publishing via maturin (pip install aish-cli)

[jexShain]

Summary

• Add pyproject.toml with maturin bin bindings configuration for packaging the aish binary as a Python wheel
• Add .github/workflows/pypi.yml for automated wheel building and PyPI publishing on tag push
• Supports Linux x86_64 and aarch64 manylinux wheels

Test plan

• Verify wheel builds locally: pip install maturin && maturin build --release
• Manually trigger workflow via workflow_dispatch to test build (publish to TestPyPI)
• End-to-end: pip install -i https://test.pypi.org/simple/ aish-cli && aish --help

Summary by CodeRabbit

• Chores
  • Implemented automated Python package publishing pipeline supporting both production and test PyPI environments with manual control options.
  • Established project configuration including package metadata, build system, and distribution settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR establishes the foundational infrastructure for publishing the aish-cli Python package to PyPI. It adds a Maturin-based build configuration that declares project metadata and Rust crate integration, paired with a GitHub Actions workflow that automatically builds multi-architecture wheels on version tags and publishes them to either PyPI or TestPyPI.

Changes

Python Package Publishing

Layer / File(s)	Summary
Build system configuration pyproject.toml	Maturin build backend declaration with project metadata (name, description, license, authors, Python requirement ≥3.7, classifiers), and tool configuration pointing to crates/aish-cli/Cargo.toml with binary bindings and stripping enabled.
PyPI publishing workflow .github/workflows/pypi.yml	GitHub Actions pipeline triggered on version tags or manual dispatch, with matrix build job for x86_64 and aarch64 targets using PyO3/maturin-action, and conditional publish job routing to TestPyPI (with manual toggle) or PyPI using repository secrets.

Sequence Diagram

sequenceDiagram
  participant User
  participant GitHub as GitHub Actions
  participant BuildJob as build-wheels Job
  participant PublishJob as publish-pypi Job
  participant PyPI
  participant TestPyPI
  User->>GitHub: Tag push v* or manual dispatch
  GitHub->>BuildJob: Trigger matrix build (x86_64, aarch64)
  BuildJob->>BuildJob: Build wheels via Maturin
  BuildJob->>GitHub: Upload wheels as artifacts
  GitHub->>PublishJob: All wheels built
  PublishJob->>PublishJob: Download and merge all wheels
  alt test_pypi = true
    PublishJob->>TestPyPI: Publish wheels with TEST_PYPI_API_TOKEN
  else test_pypi = false
    PublishJob->>PyPI: Publish wheels with PYPI_API_TOKEN
  end

Loading

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A workflow springs forth in the GitHub night,
Wheels built on both arms, stripped sleek and tight,
Version tags trigger the PyPI dance,
From Linux architectures to the great package expanse!
TestPyPI awaits the uncertain kind,
But PyPI's the home this package will find. 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding PyPI publishing infrastructure via maturin to enable pip installation of aish-cli.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thanks for the pull request. A maintainer will review it when available.

Please keep the PR focused, explain the why in the description, and make sure local checks pass before requesting review.

Contribution guide: https://github.com/AI-Shell-Team/aish/blob/main/CONTRIBUTING.md

[github-actions]

This pull request description looks incomplete. Please update the missing sections below before review.

Missing items:

• User-visible Changes
• Compatibility
• Testing
• Change Type
• Scope

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pypi.yml (1)

51-51: ⚡ Quick win

Switch to PyPI trusted publishing (OIDC) over API tokens.

This removes long-lived credential risk and aligns with current PyPI publishing best practices. Add permissions: id-token: write to the job and remove the password fields from both publish steps (lines 67 and 74). Both PyPI and TestPyPI support trusted publishing; configure trusted publishers on each index separately.

Proposed direction

  publish-pypi:
    name: Publish to ${{ github.event.inputs.test_pypi == 'true' && 'TestPyPI' || 'PyPI' }}
    needs: build-wheels
    runs-on: ubuntu-latest
    environment: release
+   permissions:
+     id-token: write
    steps:
       - name: Download wheels
         uses: actions/download-artifact@v6
         with:
           pattern: wheel-*
           path: dist
           merge-multiple: true

       - name: List wheels
         run: ls -la dist/

       - name: Publish to TestPyPI
         if: github.event.inputs.test_pypi == 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/

       - name: Publish to PyPI
         if: github.event.inputs.test_pypi != 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pypi.yml at line 51, Update the GitHub Actions job to use
OIDC trusted publishing by adding the job-level key permissions: id-token: write
and removing the hardcoded password fields from the PyPI publish steps (remove
any password: entries in the publish/upload steps for both PyPI and TestPyPI);
ensure the publish steps rely on the default GITHUB_TOKEN/OIDC flow and that
trusted publishers are configured on the PyPI and TestPyPI indexes to accept the
OIDC token.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/pypi.yml:
- Line 51: Update the GitHub Actions job to use OIDC trusted publishing by
adding the job-level key permissions: id-token: write and removing the hardcoded
password fields from the PyPI publish steps (remove any password: entries in the
publish/upload steps for both PyPI and TestPyPI); ensure the publish steps rely
on the default GITHUB_TOKEN/OIDC flow and that trusted publishers are configured
on the PyPI and TestPyPI indexes to accept the OIDC token.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 59c41717-9510-4a32-bf49-a627d01595f7

📥 Commits

Reviewing files that changed from the base of the PR and between 5606ddd and f5ae7a2.

📒 Files selected for processing (2)

• .github/workflows/pypi.yml
• pyproject.toml