From 5e179feb2c3ec563d908c4ba87cda66d176d081f Mon Sep 17 00:00:00 2001
From: Pouyanpi <13303554+Pouyanpi@users.noreply.github.com>
Date: Thu, 9 Oct 2025 09:43:26 +0200
Subject: [PATCH 1/3] ci: fix publish pypi workflow to read from dist

---
 .github/workflows/publish-pypi-approval.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish-pypi-approval.yml b/.github/workflows/publish-pypi-approval.yml
index 7f41c8d78..f260dfcf7 100644
--- a/.github/workflows/publish-pypi-approval.yml
+++ b/.github/workflows/publish-pypi-approval.yml
@@ -49,18 +49,19 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: ${{ steps.version.outputs.artifact_name }}
+          path: dist
           github-token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}
           run-id: ${{ github.event.workflow_run.id }}
 
       - name: List files
-        run: ls -la
+        run: ls -la dist/
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           verbose: true
-          packages-dir: ./
+          packages-dir: dist/
 
       - name: Create GitHub Release
         env:

From 44061c7ea096111cafa50650bab62298cfe80d34 Mon Sep 17 00:00:00 2001
From: Pouyanpi <13303554+Pouyanpi@users.noreply.github.com>
Date: Thu, 9 Oct 2025 09:55:43 +0200
Subject: [PATCH 2/3] resolve PyPI publish workflow trigger and reliability
 issues

---
 .github/workflows/publish-pypi-approval.yml | 46 ++++++++++++++++-----
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish-pypi-approval.yml b/.github/workflows/publish-pypi-approval.yml
index f260dfcf7..bca8b27e1 100644
--- a/.github/workflows/publish-pypi-approval.yml
+++ b/.github/workflows/publish-pypi-approval.yml
@@ -8,24 +8,40 @@ on:
 
 jobs:
   publish-pypi:
-    if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v')
+    if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     environment:
       name: pypi-production
       url: https://pypi.org/project/nemoguardrails/
     permissions:
-      contents: read
+      contents: write
       id-token: write
 
     steps:
-      - name: Extract version from tag
+      - name: Checkout repository for tag detection
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect version tag and extract info
         id: version
         run: |
-          TAG_NAME="${{ github.event.workflow_run.head_branch }}"
+          COMMIT_SHA="${{ github.event.workflow_run.head_sha }}"
+
+          TAG_NAME=$(git tag --points-at "$COMMIT_SHA" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+
+          if [ -z "$TAG_NAME" ]; then
+            echo "❌ No version tag found at commit $COMMIT_SHA"
+            echo "Available tags at this commit:"
+            git tag --points-at "$COMMIT_SHA" || echo "  (none)"
+            exit 1
+          fi
+
           VERSION="${TAG_NAME#v}"
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "tag=${TAG_NAME}" >> $GITHUB_OUTPUT
           echo "artifact_name=${TAG_NAME}-build" >> $GITHUB_OUTPUT
+          echo "✅ Detected version tag: $TAG_NAME"
 
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -62,6 +78,7 @@ jobs:
         with:
           verbose: true
           packages-dir: dist/
+          attestations: true
 
       - name: Create GitHub Release
         env:
@@ -86,11 +103,20 @@ jobs:
 
           echo "$CHANGELOG_SECTION" > release_notes.md
 
-          gh release create "$TAG_NAME" \
-            --draft \
-            --title "$TAG_NAME" \
-            --notes-file release_notes.md \
-            --repo ${{ github.repository }} \
-            || echo "Release already exists or failed to create"
+          if gh release view "$TAG_NAME" --repo ${{ github.repository }} >/dev/null 2>&1; then
+            echo "ℹ️ Release $TAG_NAME already exists, skipping creation"
+          else
+            if gh release create "$TAG_NAME" \
+              --draft \
+              --title "$TAG_NAME" \
+              --notes-file release_notes.md \
+              --repo ${{ github.repository }}; then
+              echo "✅ Release $TAG_NAME created successfully"
+            else
+              echo "❌ Failed to create release $TAG_NAME" >&2
+              rm -f release_notes.md
+              exit 1
+            fi
+          fi
 
           rm -f release_notes.md

From 9ab64ef3df70dff3770fb12d2b040a75e52169d1 Mon Sep 17 00:00:00 2001
From: Pouyanpi <13303554+Pouyanpi@users.noreply.github.com>
Date: Thu, 9 Oct 2025 13:12:57 +0200
Subject: [PATCH 3/3] fix

---
 .github/workflows/publish-pypi-approval.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/publish-pypi-approval.yml b/.github/workflows/publish-pypi-approval.yml
index bca8b27e1..06f489965 100644
--- a/.github/workflows/publish-pypi-approval.yml
+++ b/.github/workflows/publish-pypi-approval.yml
@@ -47,9 +47,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.version.outputs.tag }}
-          sparse-checkout: |
-            pyproject.toml
-            CHANGELOG.md
 
       - name: Validate version matches tag
         run: |