From 672cfe262e8ea485e1975532ec8e81842b6ed94d Mon Sep 17 00:00:00 2001
From: Martin Storath <storath@googlemail.com>
Date: Fri, 8 May 2026 05:27:52 +0000
Subject: [PATCH] Add post-publish verify step (real install + import + call)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors CMF v0.1.7's post-publish smoke check (devcontainer
reports/11-cmf-v0.1.7-release.md). PyPI accepting the upload is not
the same as `pip install` working — the new step does a real
`pip install cssd` from PyPI, imports the module, and runs a tiny
`cssd(np.linspace(0,1,16), np.zeros(16), p=0.99, gamma=1e10)` call
to exercise the Rust binding. Catches: renamed package, broken
__init__, ABI/manylinux mismatches, missing native bindings.
---
 .github/workflows/release.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index af2bb5d..5557be5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -126,3 +126,21 @@ jobs:
           body_path: release-notes.md
           generate_release_notes: true
           files: dist/*
+
+      - name: Verify uploaded package (real install + import + call)
+        # Defends against silent failures where PyPI accepts the upload
+        # but the package isn't actually usable (renamed module, missing
+        # __init__, broken native binding, ABI mismatch, etc.).
+        # Mirrors CMF v0.1.7's step — see devcontainer reports/11.
+        run: |
+          # Brief delay so PyPI's CDN settles the new version.
+          sleep 30
+          pip install --no-cache-dir --index-url https://pypi.org/simple/ cssd
+          python -c "
+          import numpy as np
+          from cssd import cssd
+          from importlib.metadata import version
+          x = np.linspace(0, 1, 16)
+          out = cssd(x, np.zeros(16), p=0.99, gamma=1e10)
+          print(f'cssd {version(\"cssd\")} verify OK')
+          "