ci: release workflow with Trusted Publishing + Python runtime CI#133
Conversation
Release workflow (release.yml) is triggered by v* tags and: - gates everything on a version-consistency check across the five Cargo.toml files and reflectapi-python-runtime/pyproject.toml - publishes the five Rust crates to crates.io in dependency order using Trusted Publishing (rust-lang/crates-io-auth-action@v1) — no long-lived CARGO_REGISTRY_TOKEN secret required - builds the pure-Python reflectapi-runtime sdist + wheel via hatchling and publishes to PyPI via Trusted Publishing (pypa/gh-action-pypi-publish) - cuts a GitHub Release with auto-generated notes; alpha/beta/rc tags are flagged as pre-releases automatically - uploads the wheel + sdist as release assets CI gains a python-runtime job that runs the runtime test suite (pytest) on every push and pull request. Adapted from the awa repo's release.yml. Before the first tag, the repo needs a 'release' GitHub Environment configured as the trusted publisher for both crates.io (one entry per crate) and PyPI (project: reflectapi-runtime, workflow: release.yml, environment: release).
There was a problem hiding this comment.
Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.
Once credits are available, reopen this pull request to trigger a review.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 75941e902e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ("reflectapi/Cargo.toml", cargo_version("reflectapi/Cargo.toml")), | ||
| ("reflectapi-derive/Cargo.toml", cargo_version("reflectapi-derive/Cargo.toml")), | ||
| ("reflectapi-schema/Cargo.toml", cargo_version("reflectapi-schema/Cargo.toml")), | ||
| ("reflectapi-schema-codegen/Cargo.toml", cargo_version("reflectapi-schema-codegen/Cargo.toml")), | ||
| ("reflectapi-cli/Cargo.toml", cargo_version("reflectapi-cli/Cargo.toml")), |
There was a problem hiding this comment.
Check internal dependency versions before publishing
For patch releases, this gate can still pass with stale intra-workspace dependency requirements: e.g. after bumping each [package].version to 0.17.2 for tag v0.17.2, reflectapi could still declare reflectapi-derive = "0.17.1" because Cargo’s default ^0.17.1 requirement accepts the local 0.17.2 during CI, but the published crate would keep depending on the already-released 0.17.1. Since the workflow later publishes with --no-verify, this can ship a mixed-version release even though the “version consistency” job succeeded; please also validate the internal dependency version fields for these workspace crates.
Useful? React with 👍 / 👎.
|
📖 Documentation Preview: https://reflectapi-docs-preview-pr-133.partly.workers.dev Updated automatically from commit 15c9580 |
…green The new python-runtime CI job exposed 16 pre-existing failures unrelated to SSE work. Fix them at the root rather than deselecting: - Auth tests called auth.auth_flow(request) and discarded the generator, so the request mutation never ran. Wrap calls in next(...) so the yield body executes (16 sites across test_auth_negative_cases.py and test_edge_cases.py). - hypothesis_strategies.strategy_for_type fell through to st.none() for bare collection types (dict, list, tuple, set) because get_origin() returns None for the unparameterised classes. Pydantic then rejected the generated None on a non-Optional field. Add explicit handling for the bare collections. - test_make_request_with_json_data_still_works asserted 'headers' was absent from build_request kwargs, but the runtime passes headers=None when no headers model is supplied. Both forms mean 'no headers'; relax the assertion to accept either.
Summary
release.ymltriggered byv*tags. Adapted from the awa repo's release.yml.Cargo.tomls andreflectapi-python-runtime/pyproject.toml— fails fast on drift.reflectapi-schema→reflectapi-derive→reflectapi-schema-codegen→reflectapi→reflectapi-cli) using crates.io Trusted Publishing (OIDC viarust-lang/crates-io-auth-action@v1) — no long-livedCARGO_REGISTRY_TOKENin the repo.reflectapi-runtimesdist + wheel (hatchling) and publishes to PyPI Trusted Publishing.alpha|beta|rcare flagged as pre-releases.python-runtimejob that runspyteston the runtime on every PR — currently the SSE tests never run in CI because the existing job is Rust-only.Before the first tag
A
releaseGitHub Environment needs to exist as the trusted publisher on:reflectapi,reflectapi-cli,reflectapi-derive,reflectapi-schema,reflectapi-schema-codegen); repothepartly/reflectapi, workflowrelease.yml, environmentrelease.reflectapi-runtime, repothepartly/reflectapi, workflowrelease.yml, environmentrelease.After that,
git tag v0.17.2-alpha.1 && git push origin v0.17.2-alpha.1cuts a pre-release end-to-end.Test plan
releaseGitHub Environmentv0.17.2-alpha.1and confirm the workflow runs cleanly through to a GitHub pre-release