Skip to content

ci(release): PyPI Trusted Publishing (OIDC) release workflow#37

Merged
kjoshi07 merged 1 commit into
mainfrom
ci/release-oidc-trusted-publishing
Jun 23, 2026
Merged

ci(release): PyPI Trusted Publishing (OIDC) release workflow#37
kjoshi07 merged 1 commit into
mainfrom
ci/release-oidc-trusted-publishing

Conversation

@kjoshi07

Copy link
Copy Markdown
Contributor

What

Adds .github/workflows/release.yml so future versions auto-publish to PyPI from a tag — no API token, via PyPI Trusted Publishing (OIDC). Modeled on agentforge-py's release workflow, adapted for ForgeSight's 17-package uv workspace.

Flow

  1. builduv build --all-packages → all 17 wheels + sdists as an artifact
  2. packaged-smoke — installs the freshly-built dists into a clean venv and asserts the public API + rebranded defaults import (ForgeSightMiddleware present, old AgentForgeMiddleware gone, prometheus prefix=forgesight, datadog service=forgesight, clickhouse table=forgesight_records) — catches packaging bugs before publish
  3. publishpypa/gh-action-pypi-publish with id-token: write (OIDC, no password), skip-existing, gated on the pypi GitHub environment (manual approve)

Triggers on v* tag push (so gh release create vX.Y.Z publishes) + workflow_dispatch for re-runs.

⚠️ One-time setup required before the first OIDC release (documented in the workflow header)

  • Create a pypi GitHub Environment (Settings → Environments), ideally with required reviewers.
  • Add a Trusted Publisher to each of the 17 PyPI projects (pypi.org → project → Publishing): Owner Scaffoldic, Repo forgesight, Workflow release.yml, Environment pypi.

Until that's configured, the publish job will 403. The existing manual twine upload + PYPI_TOKEN path (launch/) keeps working in the meantime.

🤖 Generated with Claude Code

Tag-triggered (`v*`) workflow that builds all 17 workspace packages
(`uv build --all-packages`) and publishes them to PyPI via OIDC Trusted
Publishing — no API token. A packaged-wheel smoke gate installs the
freshly-built dists and asserts the public API + rebranded defaults
before the publish job runs; publish is gated on the `pypi` GitHub
environment (manual approve).

Requires one-time setup (documented in the workflow header): a `pypi`
environment + a Trusted Publisher entry per PyPI project
(Owner=Scaffoldic, Repo=forgesight, Workflow=release.yml, Env=pypi).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kjoshi07 kjoshi07 merged commit e9283e6 into main Jun 23, 2026
5 checks passed
@kjoshi07 kjoshi07 deleted the ci/release-oidc-trusted-publishing branch June 23, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant