From 91782c38d66c8867ce0a85bf566f89132e3630d9 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Thu, 6 Nov 2025 12:13:36 +0000 Subject: [PATCH 1/3] Remove reusable workflow because it's not supported by trusted publishing. --- .github/workflows/publish-reusable.yml | 89 ---------------------- .github/workflows/publish-to-testpypi.yaml | 80 ++++++++++++++----- 2 files changed, 62 insertions(+), 107 deletions(-) delete mode 100644 .github/workflows/publish-reusable.yml diff --git a/.github/workflows/publish-reusable.yml b/.github/workflows/publish-reusable.yml deleted file mode 100644 index 5c06513..0000000 --- a/.github/workflows/publish-reusable.yml +++ /dev/null @@ -1,89 +0,0 @@ -name: Publish (reusable workflow) - -on: - workflow_call: - inputs: - version: - description: 'Version number or tag for the release. For example: v1.0.1' - required: true - type: string - release_notes: - description: 'Release notes' - required: true - type: string - repository_url: - description: 'This is the repository-url parameter for pypa/gh-action-pypi-publish' - required: true - type: string - environment_name: - description: 'Name for PyPI/TestPyPI environment' - type: string - required: true - environment_url: - description: 'URL for PyPI/TestPyPI environment' - type: string - required: true - secrets: - GH_TOKEN: - required: true - -permissions: - contents: write - id-token: write # For trusted publishing - -jobs: - publish: - name: Build - runs-on: ubuntu-latest - environment: - name: ${{ inputs.environment_name }} - url: ${{ inputs.environment_url }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - GITHUB_REPO: ${{ github.repository }} - - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 - with: - python-version: "3.13" - - - name: Install Hatch - run: pip install --upgrade hatch - - - name: Build the wheel - run: python3 -m hatch build - - - name: Upload artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: python-package-distributions - path: dist/ - - - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - with: - repository-url: ${{ inputs.repository_url }} - - - name: Sign with sigstore - uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0 - with: - inputs: >- - ./dist/*.tar.gz - ./dist/*.whl - - - name: Create GitHub Release - env: - VERSION: ${{ inputs.version }} - NOTES: ${{ inputs.release_notes }} - run: gh release create $VERSION --repo $GITHUB_REPO --notes $NOTES - - - name: Upload GitHub Release - env: - VERSION: ${{ inputs.version }} - run: gh release upload $VERSION dist/** --repo $GITHUB_REPO diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml index 9f568d5..dcee11e 100644 --- a/.github/workflows/publish-to-testpypi.yaml +++ b/.github/workflows/publish-to-testpypi.yaml @@ -1,26 +1,70 @@ name: Publish to TestPyPI -on: - workflow_dispatch: - inputs: - version: - description: 'Version name for release. Must start with: "test-release-".' - required: true - +on: workflow_dispatch jobs: publish: - name: Publish wheel to TestPyPI + name: Build + runs-on: ubuntu-latest + + # This environment is required as an input to pypa/gh-action-pypi-publish + environment: + name: testpypi + url: https://test.pypi.org/p/seclab-taskflow-agent2 + + env: + GITHUB_REPO: ${{ github.repository }} + permissions: contents: write id-token: write # For trusted publishing - if: startsWith(inputs.version, 'test-release-') - uses: ./.github/workflows/publish-reusable.yml - with: - version: ${{ inputs.version }} - release_notes: ${{ github.head_ref }} - repository_url: https://test.pypi.org/legacy/ - environment_name: testpypi - environment_url: https://test.pypi.org/p/seclab-taskflow-agent2 - secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + steps: + - name: Generate unique name for the test release + id: create_release_name + run: echo "RELEASE_NAME=test-release-`date -Is --utc`" >> $GITHUB_OUTPUT + + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + with: + python-version: "3.13" + + - name: Install Hatch + run: pip install --upgrade hatch + + - name: Build the wheel + run: python3 -m hatch build + + - name: Upload artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: python-package-distributions + path: dist/ + + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + with: + repository-url: https://test.pypi.org/legacy/ + + - name: Sign with sigstore + uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0 + with: + inputs: >- + ./dist/*.tar.gz + ./dist/*.whl + + - name: Create GitHub Release + env: + RELEASE_NAME: ${{ steps.create_release_name.outputs.RELEASE_NAME }} + NOTES: ${{ github.head_ref }} + run: gh release create $RELEASE_NAME --repo $GITHUB_REPO --notes $NOTES + + - name: Upload GitHub Release + env: + RELEASE_NAME: ${{ steps.create_release_name.outputs.RELEASE_NAME }} + run: gh release upload $RELEASE_NAME dist/** --repo $GITHUB_REPO From 9b029a5afa415f244638cc1fb094e46b919d5044 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Thu, 6 Nov 2025 12:18:39 +0000 Subject: [PATCH 2/3] Fix typo --- .github/workflows/publish-to-testpypi.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml index dcee11e..e5a1131 100644 --- a/.github/workflows/publish-to-testpypi.yaml +++ b/.github/workflows/publish-to-testpypi.yaml @@ -46,7 +46,7 @@ jobs: name: python-package-distributions path: dist/ - - name: Publish to PyPI + - name: Publish to TestPyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ From cc013bbaaf21ec1a71c4cb6b889fa483581f48c4 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Thu, 6 Nov 2025 12:25:01 +0000 Subject: [PATCH 3/3] Address copilot comments --- .github/workflows/publish-to-testpypi.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml index e5a1131..8d91529 100644 --- a/.github/workflows/publish-to-testpypi.yaml +++ b/.github/workflows/publish-to-testpypi.yaml @@ -60,11 +60,13 @@ jobs: - name: Create GitHub Release env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_NAME: ${{ steps.create_release_name.outputs.RELEASE_NAME }} - NOTES: ${{ github.head_ref }} + NOTES: "Test Release" run: gh release create $RELEASE_NAME --repo $GITHUB_REPO --notes $NOTES - name: Upload GitHub Release env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_NAME: ${{ steps.create_release_name.outputs.RELEASE_NAME }} run: gh release upload $RELEASE_NAME dist/** --repo $GITHUB_REPO