[AAASM-1217] ✨ (ci): Add matrix wheel build + PyPI Trusted Publisher workflow#55
Merged
Chisanan232 merged 7 commits intoMay 23, 2026
Merged
Conversation
This was referenced May 22, 2026
Workflow header — triggered on v*.*.* tag push (publish path) and workflow_dispatch (dry-run path). id-token: write permission and no stored PyPI token: the publish step uses Trusted Publisher OIDC per the F112 spec in AAASM-1202. Real matrix build + publish jobs added in follow-up commits. AAASM-1217
Replaces the noop placeholder. Produces dist/*.tar.gz via maturin-action's sdist command — the source archive that lets users build from source without a prebuilt wheel. Artifact name 'wheels-sdist' chosen so the publish job's `pattern: wheels-*` glob picks it up alongside per-platform wheels. AAASM-1217
First platform wheel job. Three notable parts: 1. Stage step downloads the prebuilt aasm-linux-x86_64 artifact from the upstream agent-assembly repo and places it at agent_assembly/bin/aasm — picked up by maturin's include glob. 2. Untrusted-input safety: AASM_REPO is sourced via env: from the workflow-level env var (already a static string), not interpolated directly into the run script. 3. maturin-action with manylinux: auto produces a wheel with the correct manylinux platform tag for broad pip compatibility. If the upstream binary isn't published yet, the step logs a warning and continues, producing an SDK-only wheel. AAASM-1217
Same shape as the x86_64 job; maturin-action's QEMU-based cross-build support handles aarch64 from ubuntu-latest. Downloads aasm-linux-aarch64 from upstream agent-assembly releases. AAASM-1217
Runs on macos-14 (Apple silicon) and produces the wheel for the common modern Mac. Native build — no cross-compile overhead — so maturin-action picks up the host target directly. AAASM-1217
Runs on macos-13 (Intel runner) for the legacy Mac target. Same structure as the arm64 job; binary download pattern is aasm-macos-x86_64 to match the expected upstream release asset name. AAASM-1217
Downloads every wheels-* artifact (sdist + 4 platform wheels) into dist/ and uploads them via pypa/gh-action-pypi-publish using the Trusted Publisher OIDC flow — no long-lived PyPI API token is stored in repo secrets. `if:` guard ensures the publish step only fires on actual v*.*.* tag pushes; workflow_dispatch runs build only (dry-run). `environment: pypi` links to the GitHub Environment that PyPI's Trusted Publisher registration will check against. Setup steps (register publisher on pypi.org, create the pypi env in repo settings) documented in the PR description for AAASM-1217. AAASM-1217
Chisanan232
force-pushed
the
v0.0.1/AAASM-1217/feat/maturin_release_workflow
branch
from
3923347 to
8df9d2a
Compare
16 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds
.github/workflows/release-python.ymlimplementing the GitHub Actions release pipeline called out in Story AAASM-1202:v*.*.*tag push (real release) andworkflow_dispatch(dry-run / staged validation).build-sdist— pure-Python source distribution viamaturin sdistbuild-linux-x86_64— manylinux_x86_64 wheelbuild-linux-aarch64— manylinux_aarch64 wheelbuild-macos-arm64— macosx_arm64 wheel (macos-14, Apple silicon)build-macos-x86_64— macosx_x86_64 wheel (macos-13, Intel)aasmsidecar binary fromAI-agent-assembly/agent-assemblyreleases and places it atagent_assembly/bin/aasmso maturin'sincludeglob picks it up at build time. If the upstream asset isn't published yet, the job logs a warning and ships an SDK-only wheel.wheels-*artifact, then uploads viapypa/gh-action-pypi-publishusing PyPI Trusted Publisher (OIDC). No long-lived API token in repo secrets. Guarded byif: github.event_name == 'push'soworkflow_dispatchis build-only.PyPI Trusted Publisher setup (one-time, outside this PR)
After merge, complete these manual steps before tagging a release:
agent-assemblywith:AI-agent-assemblypython-sdkrelease-python.ymlpypipypi(optionally with required reviewers).Type of Change
Breaking Changes
New workflow file; nothing else touched. No effect on existing CI.
Related Issues
[tool.maturin]config the workflow targetsTesting
Validations:
python -c "import yaml; yaml.safe_load(open('.github/workflows/release-python.yml'))"parses cleanly${{ github.event.* }}interpolation in anyrun:script — repo name is sourced from workflowenv:onlyEnd-to-end exercise (matrix build + dry-run publish path) is the verification scope of AAASM-1219.
Checklist
Commits (this PR's scope only — AAASM-1217)