ci: stop recurring Release + security workflow failures on main

.github/workflows/publish.yml

@@ -1,8 +1,30 @@
 name: Release
 
+# Manual-only trigger.
+#
+# `python-semantic-release` needs to push the version-bump commit and
+# tag back to `main`. The `default-branch-baseline` ruleset on this
+# repo requires every change to `main` to come through a pull request
+# (bypass mode is `pull_request`, so even bypass actors must use a PR).
+# Direct pushes from the Actions GITHUB_TOKEN — including the bot's
+# release commit — are rejected with `GH013: Repository rule
+# violations`. Keeping `push: branches: [main]` on this trigger
+# therefore caused every commit to fail the `Release` workflow.
+#
+# Options for restoring automatic releases on push:
+#   1. Add a dedicated GitHub App / `resq-sw` PAT to `bypass_actors` on
+#      ruleset 15191038 with `bypass_mode: always`, then wire its token
+#      into `mcp-release` / `dsa-release` checkouts and the
+#      `python-semantic-release` action.
+#   2. Restructure to a PR-based release flow: run semantic-release
+#      with `commit: false, push: false` to compute the version, then
+#      open a release PR via `peter-evans/create-pull-request` so the
+#      bump merges through the protected-branch policy normally.
+#
+# Until one of those lands, dispatch this workflow manually from the
+# Actions tab (or via `gh workflow run Release.yml`) when you want to
+# cut a release.
 on:
-  push:
-    branches: [main]
   workflow_dispatch:
 
 permissions:

.github/workflows/security.yml

@@ -26,5 +26,12 @@ jobs:
     with:
       languages: '["python","actions"]'
       enable-semgrep: true
-    secrets:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    # `secrets: inherit` is required here because the upstream reusable
+    # workflow does not declare a `workflow_call.secrets:` contract.
+    # Passing named secrets (e.g. `SEMGREP_APP_TOKEN: ${{ ... }}`) causes
+    # GitHub to reject the call with `startup_failure` before any job
+    # runs. Tracked: follow up on resq-software/.github to declare the
+    # secrets contract, after which this can become explicit.
+    # zizmor warning `secrets-inherit` (#43) is intentionally suppressed
+    # in `.github/zizmor.yml` for the same reason.
+    secrets: inherit

.github/zizmor.yml

@@ -0,0 +1,19 @@
+# Copyright 2026 ResQ Software
+# SPDX-License-Identifier: Apache-2.0
+#
+# zizmor configuration for resq-software/pypi.
+# https://docs.zizmor.sh/configuration/
+
+rules:
+  secrets-inherit:
+    ignore:
+      # The org-wide reusable workflow at
+      # resq-software/.github/.github/workflows/security-scan.yml does
+      # not declare a `workflow_call.secrets:` contract. With no
+      # contract, GitHub Actions rejects any caller that tries to pass
+      # named secrets explicitly — the run terminates as
+      # `startup_failure` before any job starts. `secrets: inherit` is
+      # the only valid option until the upstream workflow is updated to
+      # declare its secrets surface. Once that lands, drop this ignore
+      # and switch security.yml back to explicit `SEMGREP_APP_TOKEN`.
+      - security.yml