Skip to content

Move pypi update to main workflow as part of normal release, test release logic#188

Merged
Eeems merged 5 commits into
mainfrom
pypi
Jun 24, 2026
Merged

Move pypi update to main workflow as part of normal release, test release logic#188
Eeems merged 5 commits into
mainfrom
pypi

Conversation

@Eeems

@Eeems Eeems commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features

    • Automated release builds now run on both main and non-main branches; non-main branches are treated as test releases.
    • Non-main runs update the package version with a post tag and build artifacts, but do not publish to PyPI.
    • Added clearer output for non-main branches (name/tag/commit and computed version).
  • Chores

    • Consolidated release and PyPI publishing into the main release workflow.
    • Removed the separate PyPI publishing workflow.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 18dfc43f-1544-4534-a193-089e98e7f112

📥 Commits

Reviewing files that changed from the base of the PR and between 2191bd4 and 949b225.

📒 Files selected for processing (1)
  • .github/workflows/main.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/main.yml

Walkthrough

The release workflow is consolidated into .github/workflows/main.yml. The release job now runs on all branches, conditionally creates GitHub releases and publishes to PyPI on main, and the separate python-publish.yml workflow is removed.

Changes

Release workflow consolidation

Layer / File(s) Summary
Job flow and tool setup
\.github/workflows/main.yml
The release job now runs without a job-level branch gate, uses a branch-specific job name, and sets up Python 3.13 and Poetry before later release steps.
Release and publish steps
\.github/workflows/main.yml
The job gates GitHub release creation and PyPI publishing to main, updates pyproject.toml from the release tag, installs dependencies with Poetry, builds the package, and prints release metadata on non-main branches.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects moving PyPI publishing into the main workflow and adding test release logic.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pypi

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Eeems Eeems linked an issue Jun 24, 2026 that may be closed by this pull request
@Eeems Eeems marked this pull request as ready for review June 24, 2026 18:46

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.github/workflows/main.yml (1)

283-287: 🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy lift

Prefer PyPI trusted publishing for this workflow.

If the PyPI project can be configured for GitHub trusted publishing, this release path no longer needs a long-lived PYPI_API_TOKEN secret.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 283 - 287, The Publish to pypi step
in the main workflow still uses a long-lived PYPI_API_TOKEN secret; update this
release path to use PyPI trusted publishing instead. Adjust the workflow job
around the publish step so it relies on GitHub OIDC/trusted publishing
configuration for Poetry rather than the POETRY_PYPI_TOKEN_PYPI environment
secret, and make sure the publishing step remains gated by the main branch
condition.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yml:
- Around line 241-243: The workflow currently grants `contents: write` to the
whole job even on non-`main` runs, so narrow that permission to the actual
release path only. Split the release/publish logic in the workflow so the
`ncipollo/release-action` step runs in a `main`-only job with write access, and
keep the always-running test-release job read-only. Use the existing job/step
structure around the release action to separate these paths without changing the
test execution flow.
- Around line 255-258: The apt install step in the workflow can prompt for
confirmation on fresh runners, so make the install noninteractive in the main
release/test-release job. Update the install block that runs sudo apt-get update
and sudo apt-get install in the workflow to pass a noninteractive mode or
equivalent apt option, keeping the rest of the setup (including curl | python3 -
for Poetry) unchanged.
- Around line 279-280: The version bump step in the workflow is using a sed
pattern that treats the capture group as literal text, so the replacement
backreference in the Update version step cannot work. Update the workflow’s
Update version command to either enable extended regex support with sed or
replace the whole operation with poetry version, and make sure the change still
targets pyproject.toml and preserves the intended post-release suffix using the
existing TAG variable.
- Around line 249-253: The workflow step in main.yml needs to stop using mutable
action tags and avoid leaving Git credentials in the release job. Update the
actions referenced by setup-python and checkout in the job to pinned commit
SHAs, and set persist-credentials to false on the checkout step since this job
only publishes to PyPI. Use the existing action steps in the release workflow as
the locations to update.

---

Nitpick comments:
In @.github/workflows/main.yml:
- Around line 283-287: The Publish to pypi step in the main workflow still uses
a long-lived PYPI_API_TOKEN secret; update this release path to use PyPI trusted
publishing instead. Adjust the workflow job around the publish step so it relies
on GitHub OIDC/trusted publishing configuration for Poetry rather than the
POETRY_PYPI_TOKEN_PYPI environment secret, and make sure the publishing step
remains gated by the main branch condition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f63ba611-8f1b-4716-b0a2-8250adc8dad3

📥 Commits

Reviewing files that changed from the base of the PR and between 6a47478 and 5f8e915.

📒 Files selected for processing (2)
  • .github/workflows/main.yml
  • .github/workflows/python-publish.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/python-publish.yml

Comment thread .github/workflows/main.yml
Comment thread .github/workflows/main.yml
Comment thread .github/workflows/main.yml
Comment thread .github/workflows/main.yml Outdated
@Eeems

This comment was marked as resolved.

@coderabbitai

This comment was marked as resolved.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/main.yml (1)

287-291: 🔒 Security & Privacy | 🔵 Trivial

Prefer PyPI trusted publishing if this project supports it. secrets.PYPI_API_TOKEN keeps a reusable PyPI secret in GitHub; if the PyPI project is configured for trusted publishing, switch this step to OIDC (permissions: id-token: write + pypa/gh-action-pypi-publish) and remove the token secret.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 287 - 291, The publish step
currently uses a stored PyPI token via poetry publish, but it should use PyPI
trusted publishing if supported. Update the workflow around the Publish to pypi
step to use OIDC-based publishing with pypa/gh-action-pypi-publish, add the
required id-token: write permission, and remove the POETRY_PYPI_TOKEN_PYPI
secret usage from this job.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/main.yml:
- Around line 287-291: The publish step currently uses a stored PyPI token via
poetry publish, but it should use PyPI trusted publishing if supported. Update
the workflow around the Publish to pypi step to use OIDC-based publishing with
pypa/gh-action-pypi-publish, add the required id-token: write permission, and
remove the POETRY_PYPI_TOKEN_PYPI secret usage from this job.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 98a1d9f9-0e48-4a8c-9eda-801f9bfb0ff8

📥 Commits

Reviewing files that changed from the base of the PR and between ada7220 and 2191bd4.

📒 Files selected for processing (1)
  • .github/workflows/main.yml

@Eeems Eeems merged commit 590b110 into main Jun 24, 2026
12 checks passed
@Eeems Eeems deleted the pypi branch June 24, 2026 22:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

pypi release is not automated

1 participant