ci: add PyPI publish workflow

[BioGeek]

Summary

Adds a GitHub Actions workflow (.github/workflows/python-publish.yml) that automatically builds and publishes the instanexus package to PyPI when a new GitHub Release is created. Modeled on the InstaNovo publish workflow.

How it works

1. A maintainer creates a new GitHub Release (via the web UI or gh CLI)
2. The workflow triggers on the release: published event
3. It builds an sdist + wheel with python -m build and uploads to PyPI

How to trigger

Option A — GitHub web UI:

1. Go to Releases → New
2. Create a new tag matching the version in pyproject.toml (e.g. v0.2.1)
3. Fill in release title and notes, click "Publish release"

Option B — GitHub CLI:

gh release create v0.2.1 --title "v0.2.1" --notes "Release notes here"

Option C — Manual dispatch (for testing):

gh workflow run python-publish.yml

Prerequisites

A PyPI API token must be stored as a repository secret named PYPI_API_TOKEN:

1. Create a token at https://pypi.org/manage/account/token/
2. Add it at Settings → Secrets and variables → Actions → New repository secret

The version in pyproject.toml must match the release tag (without the v prefix). PyPI rejects duplicate version uploads.

Test plan

• Verify the workflow file is valid (GitHub will show a syntax error on the Actions tab if not)
• Add the PYPI_API_TOKEN secret to the repo
• Test with manual dispatch (gh workflow run python-publish.yml) or create a test release
• Verify the package appears on https://pypi.org/project/instanexus/