feat: add safety checks to publish workflow

- Only publish from main/master branch
- Run full test suite before publishing
- Require manual confirmation for workflow_dispatch
- Added test job that must pass before deploy
- Prevents accidental publishes from dev branches

Author: devjerry0

.github/workflows/publish.yml

@@ -4,10 +4,45 @@ on:
   release:
     types: [published]
   workflow_dispatch:
+    inputs:
+      confirm:
+        description: 'Type "publish" to confirm PyPI upload'
+        required: true
+        default: 'no'
 
 jobs:
+  test:
+    name: Run Tests Before Publishing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      
+      - name: Install dependencies
+        run: uv pip install --system -e ".[dev]"
+      
+      - name: Run ruff
+        run: ruff check .
+      
+      - name: Run mypy
+        run: mypy contractions/ tests/
+      
+      - name: Run tests with coverage
+        run: pytest tests/ --cov=contractions --cov-report=term
+  
   deploy:
+    name: Build and Publish to PyPI
     runs-on: ubuntu-latest
+    needs: test
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event_name == 'release'
     permissions:
       id-token: write
 
@@ -17,15 +52,24 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Check manual confirmation
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          if [ "${{ github.event.inputs.confirm }}" != "publish" ]; then
+            echo "❌ Manual confirmation required. Type 'publish' to proceed."
+            exit 1
+          fi
+      
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+      
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
 
       - name: Install build dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install build twine
+        run: uv pip install --system build twine
 
       - name: Update version from git commits
         run: |