cd: add PyPI release workflow with trusted publishing#20
Merged
kavya-chennoju merged 2 commits intomainfrom Apr 23, 2026
Merged
cd: add PyPI release workflow with trusted publishing#20kavya-chennoju merged 2 commits intomainfrom
kavya-chennoju merged 2 commits intomainfrom
Conversation
Publishes device-connect-edge, -server, -agent-tools to PyPI when a vX.Y.Z tag is pushed. Uses OIDC trusted publishing via the 'pypi' environment (no stored tokens). A version guard fails the build if the tag doesn't match the package's pyproject.toml version.
kavya-chennoju
changed the title
atsyplikhin
added a commit
that referenced
this pull request
Apr 22, 2026
- Resolve release version from inputs.ref || github.ref_name and require v* shape, so workflow_dispatch cannot bypass the guard. - Parse pyproject.toml with tomllib instead of grep|sed (robust to quoting style and dynamic version keys). - fail-fast=true on publish matrix: build already proved all three artifacts valid, and PyPI rejects re-uploads of the same version, so a half-succeeded publish can't be cleanly retried. Addresses review comments #1-#3 on PR #20. Co-Authored-By: Kavya Chennoju <kavya.chennoju@arm.com> Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Resolve release version from inputs.ref || github.ref_name and require v* shape, so workflow_dispatch cannot bypass the guard. - Parse pyproject.toml with tomllib instead of grep|sed (robust to quoting style and dynamic version keys). - fail-fast=true on publish matrix: build already proved all three artifacts valid, and PyPI rejects re-uploads of the same version, so a half-succeeded publish can't be cleanly retried. Addresses review comments #1-#3 on PR #20. Co-Authored-By: Kavya Chennoju <kavya.chennoju@arm.com>
atsyplikhin
force-pushed
the
release-workflow
branch
from
a71c324 to
8715de1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
.github/workflows/release.ymlso avX.Y.Ztag push publishes all three packages (device-connect-edge,device-connect-server,device-connect-agent-tools) to PyPI.v*(orworkflow_dispatchwith a ref).arm/device-connect+release.yml+pypienvironment as the trusted publisher.pypienvironment: deployments require reviewer approval (configured in repo Settings → Environments).pyproject.tomlversion, preventing mismatched releases.Release procedure (after this merges)
versionin eachpackages/*/pyproject.tomlin lockstep.main.git tag -a vX.Y.Z -m "Release X.Y.Z" && git push origin vX.Y.Z.pypienvironment deployment in the Actions UI.Context
Currently
mainis at 0.2.2 (published via a one-offtwine uploadtoday). PyPI andmaindrift was the motivation — going forward, PyPI only updates from tagged commits that pass the version guard.Test plan
ci.yml) still runs on this PR and passes.