hotfix: pin pypa/gh-action-pypi-publish to commit SHA not tag-object SHA

#35 pinned `pypa/gh-action-pypi-publish` to
`6733eb7d741f0b11ec6a39b58540dab7590f9b7d`, which is the **tag
object** SHA for v1.14.0, not the commit it points to. The publish
action's Docker image is built per commit SHA, so pulling
`ghcr.io/pypa/gh-action-pypi-publish:6733eb7d...` failed with
"manifest unknown" and the v0.3.0 PyPI upload never happened.

The actual v1.14.0 commit SHA is
`cef221092ed1bacb1cc03d23a2d87d1d172e277b` (the tag object
dereferences to it, and `refs/heads/release/v1` agrees).

Also adding `workflow_dispatch:` trigger so we can re-run publish
without deleting/recreating the GitHub release. The release-only
trigger left us with no path to retry after the failure.

Closes #52

1 files changed, 2 insertions, 1 deletions

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index a9e0e8f..f47ac56 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -11,6 +11,7 @@ name: Upload Python Package
 on:
   release:
     types: [published]
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -33,7 +34,7 @@ jobs:
     - name: Build package
       run: python -m build
     - name: Publish package
-      uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d  # v1.14.0
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
       with:
         user: __token__
         password: ${{ secrets.PYPI_API_TOKEN }}