Skip to content

infra: collapse release + publish into one atomic workflow#30

Merged
ashmitb95 merged 1 commit into
mainfrom
release-workflow-atomic
May 31, 2026
Merged

infra: collapse release + publish into one atomic workflow#30
ashmitb95 merged 1 commit into
mainfrom
release-workflow-atomic

Conversation

@ashmitb95

Copy link
Copy Markdown
Owner

Summary

The previous two-workflow split — release.yml (tag) + publish.yml (build/publish on tag push) — had a fatal gap: tag pushes by GITHUB_TOKEN do not trigger downstream workflows. That's GitHub's anti-cascade guard. So our v3.1.1 release tagged on origin but publish.yml never fired, and PyPI is still at 3.1.0.

This PR consolidates everything into one workflow that does, in order:

  1. Read __version__ from src/canopy/__init__.py
  2. Refuse if vN.N.N already exists (prevents accidental re-release at same version)
  3. python -m build + twine check
  4. OIDC publish to PyPI
  5. Create + push the vN.N.N tag

Publish happens before tag push, so a failed PyPI publish leaves no orphan tag — re-runs work cleanly.

publish.yml deleted.

Why this avoids the cascade limitation

There's no second workflow to trigger. The dispatch action does everything itself, end-to-end. The OIDC trusted-publisher setup (already configured) handles auth; no PAT needed.

Cleanup before this is useful

The current orphan v3.1.1 tag on origin will block the new workflow's "tag already exists" check. After merge: delete the orphan tag locally and on origin, then run "Release (build + publish + tag)" from the Actions UI. The new run will re-create v3.1.1 cleanly and ship it to PyPI.

git tag -d v3.1.1
git push origin :refs/tags/v3.1.1

Test plan

  • Merge this PR
  • Delete the orphan v3.1.1 tag (local + origin)
  • Run "Release (build + publish + tag)" via Actions UI
  • Verify canopy-cli 3.1.1 lands on PyPI and v3.1.1 tag exists on origin

The previous two-workflow split (release.yml tags, publish.yml publishes
on tag push) had a fatal gap: tag pushes by GITHUB_TOKEN do not trigger
downstream workflows (GitHub's anti-cascade guard). So v3.1.1 got
tagged but never reached PyPI.

New release.yml does everything in one job: read __version__ → build →
twine check → OIDC publish to PyPI → tag and push. Publish happens
before tag push, so a failed publish leaves no orphan tag — re-runs
are idempotent.

publish.yml deleted (superseded).
@ashmitb95 ashmitb95 merged commit b19c6e6 into main May 31, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant