[codex] Split Python runtime release workflow

[aibrahim-oai]

Why

Python SDK releases pin an exact openai-codex-cli-bin version, so all eight platform runtime wheels must be available on PyPI before the SDK package is built and published. PyPI does not support reusable workflows as Trusted Publishers, which means OIDC-backed publishing must run from each top-level release workflow.

What changed

• add reusable python-runtime-build.yml to prepare and upload all eight runtime wheels without publishing
• add top-level python-runtime-release.yml for manual runtime publication before updating an SDK pin
• have python-sdk-release.yml publish and verify the prepared runtime wheels from its own top-level trusted job before building the SDK
• verify PyPI exposes exactly the expected eight runtime wheels before either release workflow continues

PyPI configuration

• keep the trusted publisher for .github/workflows/python-sdk-release.yml with environment pypi
• add a trusted publisher for .github/workflows/python-runtime-release.yml with environment pypi
• no trusted publisher is needed for .github/workflows/python-runtime-build.yml

Validation

• parsed all three workflow YAML files
• validated all embedded shell blocks with bash -n
• no local tests run; relying on online CI

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d802cd293

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep PyPI publishing out of the reusable workflow

When python-sdk-release.yml calls this reusable workflow, this pypa/gh-action-pypi-publish step runs from the called workflow, but PyPI Trusted Publishing explicitly says reusable workflows cannot currently be used as the trusted workflow. In the tag-release path this means the runtime publish step will fail to mint a PyPI token before the SDK build can start; keep the publish job in the top-level SDK workflow (for example by having the reusable workflow only build/upload artifacts) and publish from a non-reusable job.

Useful? React with 👍 / 👎.