mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-18 04:41:56 +00:00
6bdad1f3b2
* ci(pypi): add publish workflow for automated PyPI releases Triggered by CalVer tag pushes from scripts/release.py (v20* pattern). Three jobs: build (uv build) → publish (OIDC trusted publishing) → sign (Sigstore + attach to existing GitHub Release). - workflow_dispatch as manual escape hatch - skip-existing for safe re-runs - Graceful skip when GitHub Release not found (sign job) - Top-level permissions: contents: read (CodeQL compliant) Requires one-time setup: PyPI trusted publisher + GitHub pypi environment. Co-authored-by: dmahan93 <44207705+dmahan93@users.noreply.github.com> * fix(release): address review findings - Stage acp_registry/agent.json in version bump commit (was silently left unstaged) - Add missing return when no previous tags found without --first-release - Fix get_pr_number return type annotation (str -> str | None) - Prefer uv build over python -m build (matches CI workflow), with fallback - Use unit separator (%x1f) in git log format to handle | in author names - Add explicit encoding='utf-8' to .release_notes.md write Workflow hardening: - Gracefully skip signing when GitHub Release not found (env var gate instead of exit 1, so PyPI publish still shows green) * fix(ci): harden PyPI workflow — SHA-pin actions, guard workflow_dispatch, explicit build flags - Pin all actions to commit SHAs (supply-chain hardening for id-token:write) - workflow_dispatch now requires confirm_tag input + checks out that tag - Both uv build paths explicitly pass --sdist --wheel --------- Co-authored-by: dmahan93 <44207705+dmahan93@users.noreply.github.com>
137 lines
4.4 KiB
YAML
137 lines
4.4 KiB
YAML
name: Publish to PyPI
|
|
|
|
# Triggered by CalVer tag pushes from scripts/release.py (e.g. v2026.5.15)
|
|
# Can also be triggered manually from the Actions tab as an escape hatch.
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v20*' # CalVer tags: v2026.5.15, v2026.5.15.2, etc.
|
|
workflow_dispatch:
|
|
inputs:
|
|
confirm_tag:
|
|
description: 'Tag to publish (e.g. v2026.5.15). Must already exist.'
|
|
required: true
|
|
type: string
|
|
|
|
# Restrict default token to read-only; each job escalates as needed.
|
|
permissions:
|
|
contents: read
|
|
|
|
# Prevent overlapping publishes (e.g. two same-day tags pushed quickly).
|
|
concurrency:
|
|
group: pypi-publish
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
build:
|
|
name: Build distribution 📦
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
persist-credentials: false
|
|
# On workflow_dispatch, check out the confirmed tag.
|
|
ref: ${{ inputs.confirm_tag || github.ref }}
|
|
fetch-tags: true
|
|
|
|
- name: Validate tag exists
|
|
if: github.event_name == 'workflow_dispatch'
|
|
run: |
|
|
if ! git tag -l "${{ inputs.confirm_tag }}" | grep -q .; then
|
|
echo "::error::Tag '${{ inputs.confirm_tag }}' does not exist in the repo"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
|
|
with:
|
|
python-version: '3.13'
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
|
|
|
|
- name: Build wheel and sdist
|
|
run: uv build --sdist --wheel
|
|
|
|
- name: Upload distribution artifacts
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: python-package-distributions
|
|
path: dist/
|
|
|
|
publish:
|
|
name: Publish to PyPI
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
environment:
|
|
name: pypi
|
|
url: https://pypi.org/p/hermes-agent
|
|
permissions:
|
|
id-token: write # OIDC trusted publishing
|
|
|
|
steps:
|
|
- name: Download distribution artifacts
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
name: python-package-distributions
|
|
path: dist/
|
|
|
|
- name: Publish to PyPI
|
|
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
|
|
with:
|
|
skip-existing: true
|
|
|
|
sign:
|
|
name: Sign and attach to GitHub Release
|
|
# Only runs on tag pushes — release.py creates the GitHub Release,
|
|
# and workflow_dispatch won't have a matching release to attach to.
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
needs: publish
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # attach assets to the existing release
|
|
id-token: write # sigstore signing
|
|
|
|
steps:
|
|
- name: Download distribution artifacts
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
name: python-package-distributions
|
|
path: dist/
|
|
|
|
- name: Wait for GitHub Release to exist
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
# release.py creates the GitHub Release after pushing the tag,
|
|
# but this workflow starts from the tag push — wait for it.
|
|
run: |
|
|
for i in $(seq 1 30); do
|
|
if gh release view "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
|
|
echo "Release $GITHUB_REF_NAME found"
|
|
exit 0
|
|
fi
|
|
echo "Waiting for release... ($i/30)"
|
|
sleep 10
|
|
done
|
|
echo "::warning::Release $GITHUB_REF_NAME not found after 5 minutes — skipping signature upload"
|
|
echo "skip_sign=true" >> "$GITHUB_ENV"
|
|
|
|
- name: Sign with Sigstore
|
|
if: env.skip_sign != 'true'
|
|
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
|
|
with:
|
|
inputs: >-
|
|
./dist/*.tar.gz
|
|
./dist/*.whl
|
|
|
|
- name: Attach signed artifacts to GitHub Release
|
|
if: env.skip_sign != 'true'
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
# release.py already created the GitHub Release — just upload
|
|
# the Sigstore signatures alongside the existing assets.
|
|
run: >-
|
|
gh release upload
|
|
"$GITHUB_REF_NAME" dist/*.sigstore.json
|
|
--repo "$GITHUB_REPOSITORY"
|
|
--clobber
|