ci: publish PyPI and npm inline from release workflows (fix #521)#592
Open
ojongerius wants to merge 1 commit into
Open
ci: publish PyPI and npm inline from release workflows (fix #521)#592ojongerius wants to merge 1 commit into
ojongerius wants to merge 1 commit into
Conversation
GITHUB_TOKEN-created releases suppress downstream workflow triggers, so publish-py.yml and publish-ts.yml never fired automatically. Collapse the two-step pipeline: move uv build + pypi-publish into release-sdk-py.yml and the npm dist-tag + publish steps into release-sdk-ts.yml. Both release workflows now carry id-token: write for OIDC. publish-py.yml and publish-ts.yml are reduced to workflow_dispatch-only manual fallbacks.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR collapses Python and TypeScript SDK publishing into their release workflows to avoid suppressed downstream release triggers from GITHUB_TOKEN-created releases.
Changes:
- Adds OIDC publishing permissions and inline PyPI/npm publish steps to SDK release workflows.
- Keeps publish workflows as
workflow_dispatchmanual fallbacks only. - Tightens manual fallback execution to
main.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/release-sdk-ts.yml |
Adds npm OIDC/provenance publish inline after TypeScript SDK release creation. |
.github/workflows/release-sdk-py.yml |
Builds Python distributions and publishes to PyPI inline after Python SDK release creation. |
.github/workflows/publish-ts.yml |
Converts npm publish workflow to a main-only manual fallback. |
.github/workflows/publish-py.yml |
Converts PyPI publish workflow to a main-only manual fallback. |
|
|
||
| permissions: | ||
| contents: write | ||
| id-token: write |
|
|
||
| permissions: | ||
| contents: write | ||
| id-token: write |
Comment on lines
+4
to
7
| # Manual escape hatch — dispatch from `main` publishes whatever version | ||
| # package.json currently has. Normal releases go through release-sdk-ts.yml | ||
| # which publishes inline (see #521 for why the two-step pipeline was broken). | ||
| workflow_dispatch: |
Comment on lines
+4
to
7
| # Manual escape hatch — dispatch from `main` publishes whatever version | ||
| # pyproject.toml currently has. Normal releases go through release-sdk-py.yml | ||
| # which publishes inline (see #521 for why the two-step pipeline was broken). | ||
| workflow_dispatch: |
Comment on lines
+86
to
+87
| - name: Publish to npm | ||
| run: npm publish --access public --provenance --tag ${{ steps.dist_tag.outputs.tag }} |
Comment on lines
+72
to
+74
| - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 | ||
| with: | ||
| packages-dir: sdk/py/dist/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Collapses the two-step release → publish pipeline for the Python and TypeScript SDKs into a single workflow each.
Why
GITHUB_TOKEN-created releases suppress downstream workflow triggers (GitHub Actions safeguard documented in #521). This meantpublish-py.ymlandpublish-ts.ymlnever fired automatically — every release since the automation was introduced has silently required manual intervention to actually reach PyPI and npm.Discovered today when
sdk-py v0.10.0andsdk-ts v0.10.0were tagged but not published; both had to be dispatched manually.Changes
release-sdk-py.ymlid-token: writepermission (OIDC for PyPI trusted publishing)uv buildstep (before creating the GitHub release)pypa/gh-action-pypi-publishstep (after creating the GitHub release)publish-py.ymlrelease-sdk-ts.ymlid-token: writepermission (OIDC for npm provenance)registry-urltoactions/setup-node(required for npm auth)publish-ts.ymllogic, using$SDK_TS_VERSIONwhich is already verified to matchpackage.json)npm publish --access public --provenancesteppublish-ts.ymlpublish-py.yml/publish-ts.ymlrelease:trigger (it never fired forGITHUB_TOKEN-created releases)workflow_dispatch-only manual fallbacks with a clarifying commentif:condition togithub.ref == 'refs/heads/main'onlyTesting
Can only be validated end-to-end on the next real release tag. The individual steps are identical to what
publish-py.ymlandpublish-ts.ymlalready run successfully (used for manual recovery of v0.10.0 today).