ci: harden publish-pypi against accidental manual publishes (slice #50)

[buildrr89]

Summary

• `workflow_dispatch.inputs.dry_run.default` flipped from `"false"` to `"true"` — manual runs now build-only unless opted in.
• Publish job's `if:` predicate switched to a positive form: `release-published OR (workflow_dispatch AND dry_run == 'false')`. Unexpected input values now fail closed instead of publishing.
• New contract test in `tests/test_repo_contracts.py` locks both invariants.

Safety margin for a first-release repo wired to a trusted publisher.

Test plan

• `uv run pytest -q` — 211 passing
• PR CI: proof + wheel-smoke green

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@buildrr89 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 31 minutes and 9 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 31 minutes and 9 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eb6ec25e-fa6d-4d8e-8771-05abe30d673b

📥 Commits

Reviewing files that changed from the base of the PR and between 6167cec and a7cbb65.

📒 Files selected for processing (4)

• .github/workflows/publish-pypi.yml
• CHANGELOG.md
• docs/NEXT_EXECUTION_BACKLOG.md
• tests/test_repo_contracts.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch slice-50-publish-pypi-safety

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

RADE score diff

Compared 6167cec95232876472afd376d046d4be8eabbf07 -> a7cbb65392d144a316882045e024a34d43c0fccb.
Regression gate status: disabled.
Direction: higher reusability is better; lower accessibility_risk is better.

Metric	Base	Head	Delta
reusability	86	86	0
accessibility_risk	70	70	0

Generated by RADE GitHub Action.