From 3a6a899e87da502f56a5e6a3e58b10325588ea57 Mon Sep 17 00:00:00 2001
From: EshtiakAlam <eshtiakalam.shihab@optimizely.com>
Date: Tue, 28 Apr 2026 12:55:15 +0600
Subject: [PATCH 1/4] [EC3-2437] Move optimizely-platform to Artifact Registry
 - Add GitHub Actions workflow for publishing to Google Artifact Registry -
 Update setup.py for SCM versioning

---
 .github/workflows/publish.yaml | 55 ++++++++++++++++++++++++++++++++++
 setup.py                       |  9 +++---
 2 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/publish.yaml

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..b225454
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,55 @@
+name: Release and Publish to Google Artifact Registry
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  publish-gar:
+    name: Build and Publish to GAR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Validate tag format
+        run: |
+          TAG="${{ github.ref_name }}"
+          VERSION="${TAG#v}"
+          if ! [[ $VERSION =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: Invalid version format '$VERSION'. Expected format: x.y.z"
+            exit 1
+          fi
+          echo "Releasing version: $VERSION (from tag: $TAG)"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install build dependencies
+        run: pip install build twine setuptools-scm
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "projects/668763687485/locations/global/workloadIdentityPools/github/providers/github"
+          service_account: "github-experimentation@optimizely-iac.iam.gserviceaccount.com"
+
+      - name: Build and Publish
+        run: |
+          python -m build
+          python -m twine upload \
+            --repository-url https://us-east1-python.pkg.dev/artifact-registry-e3ca/private-python/ \
+            --username oauth2accesstoken \
+            --password ${{ steps.auth.outputs.access_token }} \
+            dist/*
diff --git a/setup.py b/setup.py
index 5b6c587..445449a 100644
--- a/setup.py
+++ b/setup.py
@@ -1,17 +1,18 @@
 from setuptools import setup
 from setuptools import find_packages
- 
- 
+
+
 setup(
     name='optimizely-platform',
-    version='0.0.7',
+    use_scm_version=True,
+    setup_requires=['setuptools-scm'],
     description='Package providing modules needed to build add-ons that run natively in the Optimizely platform.',
     author='Jon Gaulding, Tyler Jones, Peng-Wen Chen, Ali Rizvi',
     author_email='developers@optimizely.com',
     license='MIT',
     url='https://github.com/optimizely/optimizely-platform',
     download_url='https://github.com/optimizely/optimizely-platform/tarball/0.0.7',
-    keywords = ['optimizely', 'platform', 'integration', 'add-on'],
+    keywords=['optimizely', 'platform', 'integration', 'add-on'],
     classifiers=[
       'Development Status :: 4 - Beta',
       'Environment :: Web Environment',

From 5618eeefef1f30e6d7fcf06597275efde6fa92c0 Mon Sep 17 00:00:00 2001
From: EshtiakAlam <eshtiakalam.shihab@optimizely.com>
Date: Tue, 28 Apr 2026 15:28:26 +0600
Subject: [PATCH 2/4] Remove download_url from setup.py

---
 setup.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/setup.py b/setup.py
index 445449a..015896c 100644
--- a/setup.py
+++ b/setup.py
@@ -11,7 +11,6 @@
     author_email='developers@optimizely.com',
     license='MIT',
     url='https://github.com/optimizely/optimizely-platform',
-    download_url='https://github.com/optimizely/optimizely-platform/tarball/0.0.7',
     keywords=['optimizely', 'platform', 'integration', 'add-on'],
     classifiers=[
       'Development Status :: 4 - Beta',

From 7e9c365c450d378bc33821cd172ea7b8a7578e93 Mon Sep 17 00:00:00 2001
From: EshtiakAlam <eshtiakalam.shihab@optimizely.com>
Date: Tue, 28 Apr 2026 17:45:35 +0600
Subject: [PATCH 3/4] - Fix artipacked vulnerability by disabling
 persist-credentials in checkout

---
 .github/workflows/publish.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index b225454..a1980d0 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -18,6 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Validate tag format
         run: |

From 39ce388f7c3a5ff03898ac9ad29f8387d99564b1 Mon Sep 17 00:00:00 2001
From: EshtiakAlam <eshtiakalam.shihab@optimizely.com>
Date: Wed, 29 Apr 2026 21:53:41 +0600
Subject: [PATCH 4/4] - Enhance publish workflow: add validation for GitHub
 Release and tag checks

Co-authored-by: Copilot <copilot@github.com>
---
 .github/workflows/publish.yaml | 27 +++++++++++++++++++++++++--
 README.md                      |  9 +++++++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index a1980d0..c86a2c6 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -21,8 +21,9 @@ jobs:
           persist-credentials: false
 
       - name: Validate tag format
+        env:
+          TAG: ${{ github.ref_name }}
         run: |
-          TAG="${{ github.ref_name }}"
           VERSION="${TAG#v}"
           if ! [[ $VERSION =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "Error: Invalid version format '$VERSION'. Expected format: x.y.z"
@@ -30,10 +31,32 @@ jobs:
           fi
           echo "Releasing version: $VERSION (from tag: $TAG)"
 
+      - name: Verify GitHub Release exists
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          if ! gh release view "$TAG" --repo "$GITHUB_REPOSITORY" > /dev/null 2>&1; then
+            echo "Error: No GitHub Release found for tag '$TAG'."
+            echo "Create a release via GitHub UI instead of pushing tags manually."
+            exit 1
+          fi
+
+      - name: Verify tag is on master
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: |
+          git fetch origin "$DEFAULT_BRANCH" --quiet
+          if ! git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH"; then
+            echo "Error: Tag commit $GITHUB_SHA is not reachable from origin/$DEFAULT_BRANCH."
+            echo "Only tags on the $DEFAULT_BRANCH branch can be published."
+            exit 1
+          fi
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.x'
+          python-version: "3.x"
 
       - name: Install build dependencies
         run: pip install build twine setuptools-scm
diff --git a/README.md b/README.md
index 93d8842..241c1f6 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
-# optimizely-platform [![Build Status](https://travis-ci.org/optimizely/optimizely-platform.svg?branch=master)](https://travis-ci.org/optimizely/optimizely-platform)
+# optimizely-platform
 
 A Python package providing modules needed to build add-ons that run natively in the Optimizely platform.
 
-TODO(jon): Add link to documentation once it's up.
+## Releasing
+
+1. Merge your changes to `master`.
+2. [Create a GitHub Release](../../releases/new) with a tag in the format `vX.Y.Z` (e.g. `v1.2.3`).
+
+The `publish.yaml` workflow builds and publishes to Google Artifact Registry. It will reject tags that aren't strict semver, lack a GitHub Release, or aren't on `master`.