fix: pypi publish pipeline and workflows

[akshitsinha]

Summary

Fixes the release pipeline so the PyPI publish actually fires after the automated release PR is merged, runs Python checks before any tag is created, and produces a clean release PR with a single changelog section per version.

Changes

Release flow

• release.yml now runs TypeScript and Python checks in parallel before changesets/action runs. Tag creation and npm publish only happen if both pass.
• PyPI publish is no longer triggered by a tag push (which never fired reliably due to the / in @cloudflare/flagship-python@*). publish-pypi.yml is now a reusable workflow called directly from release.yml, gated on steps.changesets.outputs.published == 'true' — so PyPI only publishes on actual releases, not every merge to main.
• publish-pypi.yml no longer re-runs Python checks (already validated in release.yml).

Single canonical release package

• changeset-version.ts now rewrites every SDK changeset to target @cloudflare/flagship, so the release PR body and changelog only show one section per version.
• Private SDK versions (@cloudflare/flagship-python) are still synced to match, but they no longer appear as separate release entries.
• privatePackages.tag set to false — only one git tag per release (@cloudflare/flagship@x.y.z).
• Generated sdks/python/CHANGELOG.md is deleted automatically after pnpm changeset version.

Native lockfile sync

• changeset-version.ts now runs uv lock after bumping sdks/python/pyproject.toml, so the release PR includes an up-to-date uv.lock. Without this, uv sync --locked in CI would fail when processing the release PR.
• setup-uv added to the publish job in release.yml so uv lock is available during the version step.

Workflow consistency cleanup

• All astral-sh/setup-uv references pinned to SHA across release.yml, publish-pypi.yml, and pull-request.yml.
• Python jobs now run uv sync --group dev --locked once, then invoke tools directly — no more per-tool auto-sync.
• Removed wasteful needs: typescript-build and needs: python-build dependencies from typecheck/test jobs in pull-request.yml. Those jobs were sequentially gated on a build whose artifacts they never consumed.
• Removed redundant permissions block on the reusable-workflow caller (reusable workflows define their own).

Release flow after this PR

1. Merge a PR with a changeset → release.yml runs checks → changesets/action creates/updates the release PR.
2. Merge the release PR → release.yml runs checks again → changesets/action publishes @cloudflare/flagship to npm and creates the tag → publish-pypi.yml is invoked → PyPI publishes via OIDC trusted publishing.

Regular merges to main (no changesets) run the checks but skip publish entirely.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@cloudflare/flagship@18

commit: 727d1d5