Improve release process

.github/workflows/ci.yml

@@ -29,12 +29,6 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Guard src-py-lib subtree
-        if: github.event_name == 'pull_request'
-        env:
-          ALLOW_SRC_PY_LIB_SUBTREE_CHANGE: ${{ contains(github.event.pull_request.labels.*.name, 'src-py-lib subtree') && '1' || '' }}
-        run: ./dev/check-src-py-lib-subtree.sh --branch '${{ github.event.pull_request.base.sha }}'
-
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -50,10 +44,10 @@ jobs:
         run: uv lock --check
 
       - name: Lint
-        run: uv run --frozen ruff check src_auth_perms_sync/ tests/
+        run: uv run --frozen ruff check .
 
       - name: Check formatting
-        run: uv run --frozen ruff format --check src_auth_perms_sync/ tests/
+        run: uv run --frozen ruff format --check .
 
       - name: Type check
         run: uv run --frozen pyright
@@ -65,16 +59,14 @@ jobs:
         run: uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
 
       - name: Build wheel
-        run: |
-          uv build --wheel git-subtree/src-py-lib --out-dir dist --no-create-gitignore
-          uv build --wheel --out-dir dist --no-create-gitignore
+        run: uv build --wheel --out-dir dist --no-create-gitignore
 
       - name: Smoke test installed wheel
         run: |
           python -m venv build/ci-venv
           . build/ci-venv/bin/activate
           python -m pip install --upgrade pip
-          python -m pip install dist/src_py_lib-*.whl dist/src_auth_perms_sync-*.whl
+          python -m pip install dist/src_auth_perms_sync-*.whl
           src-auth-perms-sync --help >/tmp/src-auth-perms-sync-installed-help.txt
           python -m src_auth_perms_sync --help >/tmp/src-auth-perms-sync-module-help.txt
 

.github/workflows/release.yml

@@ -80,6 +80,14 @@ jobs:
             echo "::error title=Missing tag::Tag '${release_tag}' was not fetched. Create and push it before running this workflow."
             exit 1
           fi
+          tag_revision="$(git rev-list -n 1 "${release_tag}")"
+          git fetch --no-tags origin main
+          main_revision="$(git rev-parse origin/main)"
+          if ! git merge-base --is-ancestor "${tag_revision}" "${main_revision}"; then
+            echo "::error title=Tag is not on main::Tag '${release_tag}' points at ${tag_revision}, which is not reachable from origin/main."
+            echo "::error::Merge the release PR first, then tag the main commit."
+            exit 1
+          fi
 
           project_version=$(uv run --frozen python - <<'PY'
           import tomllib
@@ -109,8 +117,8 @@ jobs:
           fi
 
           uv lock --check
-          uv run --frozen ruff check src_auth_perms_sync/
-          uv run --frozen ruff format --check src_auth_perms_sync/
+          uv run --frozen ruff check src/src_auth_perms_sync/
+          uv run --frozen ruff format --check src/src_auth_perms_sync/
           uv run --frozen pyright
           uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
 
@@ -129,7 +137,6 @@ jobs:
           rm -rf build/release
           mkdir -p "${wheelhouse_dir}" "${dist_dir}"
 
-          uv build --wheel git-subtree/src-py-lib --out-dir "${wheelhouse_dir}" --no-create-gitignore
           uv build --wheel --out-dir "${dist_dir}" --no-create-gitignore
           project_wheels=("${dist_dir}"/*.whl)
           if [[ "${#project_wheels[@]}" -ne 1 ]]; then
@@ -152,7 +159,11 @@ jobs:
             --frozen \
             --output-file "${requirements_file}"
 
-          grep -v '^\./git-subtree/src-py-lib$' "${requirements_file}" > "${runtime_requirements_file}"
+          cp "${requirements_file}" "${runtime_requirements_file}"
+          if grep -q '^\./' "${runtime_requirements_file}"; then
+            echo "::error title=Unexpected local dependency::Runtime requirements must resolve from PyPI."
+            exit 1
+          fi
 
           python -m pip wheel \
             --only-binary=:all: \
@@ -165,8 +176,6 @@ jobs:
             echo "::error title=Unexpected src-py-lib wheel count::Expected one src-py-lib wheel, found ${#src_py_lib_wheels[@]}."
             exit 1
           fi
-          src_py_lib_wheel_path="${src_py_lib_wheels[0]}"
-          src_py_lib_wheel_name="$(basename "${src_py_lib_wheel_path}")"
 
           cat > "${wheelhouse_dir}/INSTALL.txt" <<EOF
           # src-auth-perms-sync ${release_tag} offline install
@@ -179,11 +188,13 @@ jobs:
           pip install --no-index --find-links ./wheelhouse ${PACKAGE_NAME}
           src-auth-perms-sync --help
 
-          Connected install, for environments that can reach GitHub and PyPI:
+          Connected install from PyPI:
+
+          pip install ${PACKAGE_NAME}
+
+          GitHub release asset install, using the same project wheel uploaded to PyPI:
 
-          pip install \
-            "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${src_py_lib_wheel_name}" \
-            "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
+          pip install "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
           EOF
 
           (cd "${wheelhouse_dir}" && shasum -a 256 *.whl > WHEELS.sha256)
@@ -210,8 +221,6 @@ jobs:
           echo "checksum_path=${checksum_path}" >> "${GITHUB_OUTPUT}"
           echo "project_wheel_path=${project_wheel_path}" >> "${GITHUB_OUTPUT}"
           echo "project_wheel_name=${project_wheel_name}" >> "${GITHUB_OUTPUT}"
-          echo "src_py_lib_wheel_path=${src_py_lib_wheel_path}" >> "${GITHUB_OUTPUT}"
-          echo "src_py_lib_wheel_name=${src_py_lib_wheel_name}" >> "${GITHUB_OUTPUT}"
 
       - name: Validate offline install from tarball
         run: |
@@ -235,7 +244,6 @@ jobs:
         run: |
           release_tag="${{ steps.release.outputs.tag }}"
           project_wheel_name="${{ steps.build.outputs.project_wheel_name }}"
-          src_py_lib_wheel_name="${{ steps.build.outputs.src_py_lib_wheel_name }}"
           notes_path="build/release/release-notes.md"
           cat > "${notes_path}" <<EOF
           ## Customer install
@@ -267,12 +275,16 @@ jobs:
           The tarball includes this project, \`src-py-lib\`, and all runtime wheels.
           Verify the download with the matching \`.sha256\` file.
 
-          ### Connected install
+          ### Connected PyPI install
 
           \`\`\`sh
-          pip install \
-            "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${src_py_lib_wheel_name}" \
-            "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
+          pip install ${PACKAGE_NAME}
+          \`\`\`
+
+          ### GitHub release asset install
+
+          \`\`\`sh
+          pip install "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
           \`\`\`
           EOF
           echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"
@@ -285,9 +297,15 @@ jobs:
             ${{ steps.build.outputs.asset_path }}
             ${{ steps.build.outputs.checksum_path }}
             ${{ steps.build.outputs.project_wheel_path }}
-            ${{ steps.build.outputs.src_py_lib_wheel_path }}
             ${{ steps.notes.outputs.path }}
 
+      - name: Upload PyPI artifact
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v7
+        with:
+          name: pypi-distributions
+          path: ${{ steps.build.outputs.project_wheel_path }}
+
       - name: Publish GitHub release assets
         env:
           GH_TOKEN: ${{ github.token }}
@@ -296,19 +314,43 @@ jobs:
           asset_path="${{ steps.build.outputs.asset_path }}"
           checksum_path="${{ steps.build.outputs.checksum_path }}"
           project_wheel_path="${{ steps.build.outputs.project_wheel_path }}"
-          src_py_lib_wheel_path="${{ steps.build.outputs.src_py_lib_wheel_path }}"
           notes_path="${{ steps.notes.outputs.path }}"
+          release_assets=("${asset_path}" "${checksum_path}")
+
+          if [[ "${{ matrix.platform }}" == "linux-x86_64" ]]; then
+            release_assets+=("${project_wheel_path}")
+          fi
 
           if gh release view "${release_tag}" >/dev/null 2>&1; then
             gh release edit "${release_tag}" --title "${release_tag}" --notes-file "${notes_path}"
-            gh release upload "${release_tag}" "${asset_path}" "${checksum_path}" "${project_wheel_path}" "${src_py_lib_wheel_path}" --clobber
+            gh release upload "${release_tag}" "${release_assets[@]}" --clobber
           else
             gh release create "${release_tag}" \
-              "${asset_path}" \
-              "${checksum_path}" \
-              "${project_wheel_path}" \
-              "${src_py_lib_wheel_path}" \
+              "${release_assets[@]}" \
               --title "${release_tag}" \
               --notes-file "${notes_path}" \
               --verify-tag
           fi
+
+  pypi:
+    name: Publish PyPI package
+    needs: wheelhouse
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/project/src-auth-perms-sync/
+
+    steps:
+      - name: Download built distribution
+        uses: actions/download-artifact@v7
+        with:
+          name: pypi-distributions
+          path: dist
+
+      - name: Publish PyPI package
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist

.gitignore

@@ -1,18 +1,23 @@
 # Ignore
-__pycache__/
+__pycache__
+.DS_Store
+.playwright-mcp
+.pypirc
+.pyright
+.pytest_cache
 .ruff_cache
 .venv
-*.egg-info
-*.env
+*.env*
 *.gql
+*.py[cod]
 *.py[oc]
 *.yaml
-src-auth-perms-sync-runs/
 build/
 dist/
+src-auth-perms-sync-runs/
 wheels/
 
 # Allow
 !.env.example
-!git-subtree/**
+!.markdownlint-cli2.yaml
 !maps-example.yaml

git-subtree/src-py-lib/.markdownlint-cli2.yaml → .markdownlint-cli2.yaml

@@ -4,7 +4,6 @@ ignores:
   - ".venv/**"
   - "build/**"
   - "dist/**"
-  - "node_modules/**"
 config:
   MD013:
     line_length: 100