Fix ci action

.github/workflows/_build.yml

@@ -42,7 +42,10 @@ jobs:
     steps:
     - name: Install system dependencies (Linux)
       run: |
-        apt-get update
+        # Replace archive.ubuntu.com with azure.archive.ubuntu.com for better stability in GH Actions
+        sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu\//http:\/\/azure.archive.ubuntu.com\/ubuntu\//g' /etc/apt/sources.list
+        # Retry apt-get update
+        for i in 1 2 3 4 5; do apt-get update && break || sleep 5; done
         apt-get install -y \
           git ca-certificates cmake build-essential tzdata curl \
           libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev \
@@ -59,19 +62,17 @@ jobs:
     - name: Build CPython (Dynamic Selection)
       run: |
         # Map short version to full version for our specific build environment
-        declare -A PYTHON_MAP
-        PYTHON_MAP["3.9"]="3.9.18"
-        PYTHON_MAP["3.10"]="3.10.13"
-        PYTHON_MAP["3.11"]="3.11.8"
-        PYTHON_MAP["3.12"]="3.12.2"
-
         PYTHON_VERSION="${{ matrix.python-version }}"
-        PYTHON_FULL="${PYTHON_MAP[$PYTHON_VERSION]}"
-
-        if [ -z "$PYTHON_FULL" ]; then
-          echo "Error: Unknown python version $PYTHON_VERSION"
-          exit 1
-        fi
+        case "$PYTHON_VERSION" in
+          "3.9") PYTHON_FULL="3.9.18" ;;
+          "3.10") PYTHON_FULL="3.10.13" ;;
+          "3.11") PYTHON_FULL="3.11.8" ;;
+          "3.12") PYTHON_FULL="3.12.2" ;;
+          *)
+            echo "Error: Unknown python version $PYTHON_VERSION"
+            exit 1
+            ;;
+        esac
 
         PYTHON_PREFIX="/opt/python/${PYTHON_FULL}"
         PYTHON_BIN="${PYTHON_PREFIX}/bin/python${{ matrix.python-version }}"
@@ -147,8 +148,7 @@ jobs:
   build-other:
     name: Build distribution on ${{ matrix.os }}
     # Filter out ubuntu-latest from this job since it's handled by build-linux
-    if: ${{ matrix.os != 'ubuntu-latest' }}
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:

.github/workflows/_publish.yml

@@ -33,7 +33,8 @@ jobs:
   permission-check:
     name: Check write permission
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      contents: read
     outputs:
       allowed: ${{ steps.check.outputs.allowed }}
     steps:
@@ -99,6 +100,8 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
         repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
+        verbose: true
 
   publish-pypi:
     name: Publish to PyPI
@@ -135,3 +138,5 @@ jobs:
 
     - name: Publish distribution to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        verbose: true

.github/workflows/release.yml

@@ -26,18 +26,102 @@ on:
         type: string
         default: '["3.9", "3.10", "3.11", "3.12"]'
 
+permissions:
+  contents: write
+  id-token: write
+  actions: read
+
 jobs:
   build:
     uses: ./.github/workflows/_build.yml
     with:
       os_json: ${{ inputs.os_json || '["ubuntu-latest", "macos-latest", "macos-15-intel", "windows-latest"]' }}
       python_json: ${{ inputs.python_json || '["3.9", "3.10", "3.11", "3.12"]' }}
 
-  publish:
+  permission-check:
+    name: Check write permission
     needs: [build]
-    # Run if triggered by release OR (manual trigger AND target is not 'none')
-    if: github.event_name == 'release' || (inputs.target != 'none')
-    uses: ./.github/workflows/_publish.yml
-    with:
-      # For release events, default to 'pypi'. For manual, use the input.
-      target: ${{ inputs.target || 'pypi' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      allowed: ${{ steps.check.outputs.allowed }}
+    steps:
+    - name: Verify actor permission
+      id: check
+      uses: actions/github-script@v7
+      with:
+        script: |
+          // Only check permission for manual dispatch
+          if (context.eventName !== 'workflow_dispatch') {
+            core.setOutput('allowed', 'true');
+            return;
+          }
+          const { owner, repo } = context.repo;
+          const actor = context.actor;
+          const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+            owner,
+            repo,
+            username: actor,
+          });
+          const perm = data.permission;
+          core.info(`Actor ${actor} permission: ${perm}`);
+          const allowed = ['admin', 'maintain', 'write'].includes(perm);
+          core.setOutput('allowed', allowed ? 'true' : 'false');
+          if (!allowed) {
+            core.setFailed(`User ${actor} does not have write permission`);
+          }
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: [build, permission-check]
+    if: >-
+      needs.permission-check.outputs.allowed == 'true' &&
+      (inputs.target == 'testpypi' || inputs.target == 'both')
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/openviking
+    permissions:
+      id-token: write
+      actions: read
+    steps:
+    - name: Download all the dists (Same Run)
+      uses: actions/download-artifact@v4
+      with:
+        pattern: python-package-distributions-*
+        path: dist/
+        merge-multiple: true
+
+    - name: Publish distribution to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
+        verbose: true
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: [build, permission-check]
+    if: >-
+      needs.permission-check.outputs.allowed == 'true' &&
+      (github.event_name == 'release' || inputs.target == 'pypi' || inputs.target == 'both')
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/openviking
+    permissions:
+      id-token: write
+      actions: read
+    steps:
+    - name: Download all the dists (Same Run)
+      uses: actions/download-artifact@v4
+      with:
+        pattern: python-package-distributions-*
+        path: dist/
+        merge-multiple: true
+
+    - name: Publish distribution to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        verbose: true

pyproject.toml

@@ -1,6 +1,7 @@
 [build-system]
 requires = [
     "setuptools>=61.0",
+    "setuptools-scm>=8.0",
     "pybind11>=2.13.0",
     "cmake>=3.15",
     "wheel",
@@ -9,8 +10,8 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "openviking"
-version = "0.1.7"
-description = "An Agent-native context database: Data in, Context out"
+dynamic = ["version"]
+description = "An Agent-native context database"
 readme = "README.md"
 authors = [
     {name = "ByteDance", email = "noreply@bytedance.com"}
@@ -78,6 +79,7 @@ openviking-server = "openviking.server.bootstrap:main"
 
 [tool.setuptools_scm]
 write_to = "openviking/_version.py"
+local_scheme = "no-local-version"
 
 [tool.setuptools.packages.find]
 where = ["."]

setup.py

@@ -5,7 +5,7 @@
 from pathlib import Path
 
 import pybind11
-from setuptools import Extension, find_packages, setup
+from setuptools import Extension, setup
 from setuptools.command.build_ext import build_ext
 
 CMAKE_PATH = shutil.which("cmake") or "cmake"
@@ -138,7 +138,6 @@ def build_extension(self, ext):
     cmdclass={
         "build_ext": CMakeBuildExtension,
     },
-    packages=find_packages(),
     package_data={
         "openviking": [
             "bin/agfs-server",