Skip to content

feat: add PyPI publish workflow (beta + stable via OIDC)#14

Merged
tommed merged 3 commits intomainfrom
feat/pypi-publish-workflow
Mar 15, 2026
Merged

feat: add PyPI publish workflow (beta + stable via OIDC)#14
tommed merged 3 commits intomainfrom
feat/pypi-publish-workflow

Conversation

@tommed
Copy link
Contributor

@tommed tommed commented Mar 15, 2026

Summary

  • Adds .github/workflows/publish.yml — a four-job publish pipeline triggered on release: [published] events
  • Validates that the GitHub release tag matches pyproject.toml version, and that the pre-release flag is consistent with the version string (e.g. b/a/rc suffix)
  • Re-runs the full CI suite (lint, type check, tests, notebooks, coverage ≥80%) against the exact tagged SHA before building
  • Builds .whl + .tar.gz via poetry build, uploads as a workflow artefact
  • Publishes to TestPyPI automatically (no gate), then to PyPI behind a human-approval environment gate
  • Authentication uses PyPI Trusted Publishers (OIDC) — no API tokens stored in GitHub Secrets
  • Adds bump, build, and publish-check Makefile targets for the local release workflow

One-time setup required before first publish

  1. PyPI Trusted Publisher — on both pypi.org and test.pypi.org: Owner=phasenexa, Repo=nexa-bidkit, Workflow=publish.yml, Environment=pypi / testpypi
  2. GitHub Environments — create testpypi (no rules) and pypi (required reviewer: yourself) in Repo Settings → Environments

Release developer workflow

# Beta
make bump version=1.0.0b1
git add pyproject.toml && git commit -m "chore: bump version to 1.0.0b1"
git push
# Create GitHub pre-release tagged v1.0.0b1

# Stable
make bump version=1.0.0
git add pyproject.toml && git commit -m "chore: bump version to 1.0.0"
git push
# Create GitHub stable release tagged v1.0.0

Pipeline: validate → ci → build → publish-testpypi → [approval] → publish-pypi

Test plan

  • Merge and create a GitHub pre-release tagged v{current-version}b1 to exercise the full pipeline end-to-end
  • Verify test.pypi.org/project/nexa-bidkit shows the new version
  • Approve the pypi environment gate and verify pypi.org/project/nexa-bidkit
  • Confirm pip install nexa-bidkit==X.Y.Zb1 requires --pre; stable install works without it
  • Test make publish-check tag=vX.Y.Z catches a mismatched tag locally

🤖 Generated with Claude Code

tommed and others added 3 commits March 15, 2026 08:53
@tommed @claude
feat: add PyPI publish workflow and release helper Makefile targets
67725f0 
Adds a GitHub Actions publish pipeline triggered on GitHub release
events. Validates tag/pyproject.toml version match and pre-release
consistency, re-runs the full CI suite against the tagged SHA, builds
the distribution, publishes to TestPyPI (no gate), then publishes to
PyPI behind a human-approval environment gate.

Authentication uses PyPI Trusted Publishers (OIDC) — no API tokens
stored in GitHub Secrets.

Also adds `bump`, `build`, and `publish-check` Makefile targets to
support the release developer workflow locally.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tommed
New command
3a3edce
@tommed @claude
docs: add release process guide to README
6c8e6e2 
Step-by-step instructions for beta and stable releases, one-time
PyPI Trusted Publisher and GitHub Environment setup, pipeline
overview, verification steps, and the publish-check pre-flight command.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tommed tommed merged commit 8cb35ed into main Mar 15, 2026
1 check passed
@tommed tommed deleted the feat/pypi-publish-workflow branch March 15, 2026 08:59
@codecov
Copy link

codecov bot commented Mar 15, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tommed