From 2082dccac04de73d800b84071e7bb51ebb4030f3 Mon Sep 17 00:00:00 2001 From: Akshaya Shanbhogue Date: Thu, 9 Jul 2026 15:28:38 -0700 Subject: [PATCH] ci: remove Azure Artifacts publishing Drop the private UiPath Azure Artifacts (`coder_eval`) feed as a publish target. Delete publish-dev.yml (its sole purpose was publishing per-PR dev wheels to that feed) and remove the "Publish to coder_eval feed" twine step from release.yml, keeping public PyPI, GHCR, and the git tag intact. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish-dev.yml | 155 ------------------------------ .github/workflows/release.yml | 27 ++---- 2 files changed, 6 insertions(+), 176 deletions(-) delete mode 100644 .github/workflows/publish-dev.yml diff --git a/.github/workflows/publish-dev.yml b/.github/workflows/publish-dev.yml deleted file mode 100644 index a79c096a..00000000 --- a/.github/workflows/publish-dev.yml +++ /dev/null @@ -1,155 +0,0 @@ -name: Publish Dev Build - -# Per-PR dev wheel publishing for end-to-end testing of the release pipeline -# without bumping the canonical version on main. -# -# How to use: -# 1. Open a PR. -# 2. Add the `build:dev` label. Re-add (or push new commits) to refresh. -# 3. Workflow rewrites pyproject.toml version to: -# .dev1 -# builds wheel+sdist, publishes to the coder_eval feed, and edits the -# PR description with a copy-pasteable install snippet. -# -# Inspired by uipath-core-python/.github/workflows/publish-dev.yml. - -on: - pull_request: - types: [opened, synchronize, reopened, labeled] - -concurrency: - group: publish-dev-${{ github.event.pull_request.number }} - cancel-in-progress: true - -permissions: - contents: read - pull-requests: write # for editing PR description with install snippet - -jobs: - publish-dev: - name: Publish dev wheel for PR - runs-on: ubuntu-latest - if: contains(github.event.pull_request.labels.*.name, 'build:dev') - timeout-minutes: 15 - env: - # uipath-ubuntu-latest runners enforce a minimum package-age safe-chain - # check on uv installs; match the exclusions used by pr-checks.yml. - SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS: "openai-codex-cli-bin,openai-codex" - - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Set up Python 3.13 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: "3.13" - - - name: Install uv - uses: astral-sh/setup-uv@v4 - with: - enable-cache: true - - - name: Compute and apply dev version - id: ver - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - RUN_NUMBER: ${{ github.run_number }} - REPO: ${{ github.repository }} - run: | - set -euo pipefail - PROJECT_NAME=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['name'])") - CURRENT_VERSION=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])") - PADDED_PR=$(printf '%05d' "$PR_NUMBER") - PADDED_RUN=$(printf '%04d' "$RUN_NUMBER") - PADDED_NEXT_PR=$(printf '%05d' "$((PR_NUMBER + 1))") - # PEP 440 dev version: .dev1 sorts cleanly inside [MIN, MAX). - DEV_VERSION="${CURRENT_VERSION}.dev1${PADDED_PR}${PADDED_RUN}" - MIN_VERSION="${CURRENT_VERSION}.dev1${PADDED_PR}0000" - MAX_VERSION="${CURRENT_VERSION}.dev1${PADDED_NEXT_PR}0000" - - python3 - <> "$GITHUB_OUTPUT" - echo "min=${MIN_VERSION}" >> "$GITHUB_OUTPUT" - echo "max=${MAX_VERSION}" >> "$GITHUB_OUTPUT" - echo "name=${PROJECT_NAME}" >> "$GITHUB_OUTPUT" - echo "Set version to ${DEV_VERSION}" - - - name: Build wheel + sdist - run: uv build - - - name: Publish to coder_eval feed - env: - # Azure Artifacts accepts any non-empty username when paired with a - # PAT, so we hardcode it; the PAT (read+write Packaging scope) lives - # in UV_INDEX_UIPATH_PASSWORD, reused from pr-checks.yml. - TWINE_USERNAME: "azure-artifacts" - TWINE_PASSWORD: ${{ secrets.UV_INDEX_UIPATH_PASSWORD }} - TWINE_REPOSITORY_URL: https://pkgs.dev.azure.com/uipath/ML%20Platform/_packaging/coder_eval/pypi/upload/ - run: uv tool run --from twine twine upload --non-interactive --verbose dist/* - - - name: Update PR description with install snippet - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - REPO: ${{ github.repository }} - PKG: ${{ steps.ver.outputs.name }} - DEV_VERSION: ${{ steps.ver.outputs.version }} - MIN_VERSION: ${{ steps.ver.outputs.min }} - MAX_VERSION: ${{ steps.ver.outputs.max }} - run: | - set -euo pipefail - START="" - END="" - read -r -d '' SNIPPET <=${MIN_VERSION},<${MAX_VERSION}", - ] - - [[tool.uv.index]] - name = "coder_eval" - url = "https://pkgs.dev.azure.com/uipath/ML%20Platform/_packaging/coder_eval/pypi/simple/" - publish-url = "https://pkgs.dev.azure.com/uipath/ML%20Platform/_packaging/coder_eval/pypi/upload/" - explicit = true - - [tool.uv.sources] - ${PKG} = { index = "coder_eval" } - \`\`\` - $END - EOF - - export CURRENT SNIPPET START END - CURRENT=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}" --jq .body) - if echo "$CURRENT" | grep -q "$START"; then - NEW=$(CURRENT="$CURRENT" SNIPPET="$SNIPPET" START="$START" END="$END" python3 - <<'PY' - import os, re - body = os.environ["CURRENT"] - snippet = os.environ["SNIPPET"] - pat = re.compile(re.escape(os.environ["START"]) + r".*?" + re.escape(os.environ["END"]), re.DOTALL) - print(pat.sub(snippet, body)) - PY - ) - else - NEW=$(printf '%s\n\n%s' "$CURRENT" "$SNIPPET") - fi - - gh api -X PATCH "repos/${REPO}/pulls/${PR_NUMBER}" -f body="$NEW" >/dev/null - echo "Updated PR description" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b5fb4a76..7dd409f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,8 @@ name: Release # Manually-triggered release: build the CURRENT version (from pyproject.toml) -# and publish it to public PyPI + the UiPath `coder_eval` Azure Artifacts feed -# (wheel) and GHCR (agent image), then push the `v` git tag. +# and publish it to public PyPI (wheel) and GHCR (agent image), then push the +# `v` git tag. # # Version management: `main` is protected by a ruleset (changes via PR only), # so this workflow does NOT commit a version bump to main. Bump `version` in @@ -92,20 +92,6 @@ jobs: path: dist/ if-no-files-found: error - - name: Publish to coder_eval feed - # Best-effort: the private Azure feed is a UiPath-internal target; its - # failure (e.g. an expired PAT) must NOT block the public PyPI publish. - continue-on-error: true - if: steps.release.outputs.version != '' - env: - # Azure Artifacts accepts any non-empty username when paired with a - # PAT, so we hardcode it. The PAT (Packaging Read & write scope) - # comes from UV_INDEX_UIPATH_PASSWORD, reused from pr-checks.yml. - TWINE_USERNAME: "azure-artifacts" - TWINE_PASSWORD: ${{ secrets.UV_INDEX_UIPATH_PASSWORD }} - TWINE_REPOSITORY_URL: https://pkgs.dev.azure.com/uipath/ML%20Platform/_packaging/coder_eval/pypi/upload/ - run: uv tool run --from twine twine upload --non-interactive --verbose dist/* - # Build + push the agent image HERE, in the release job, tagged with the # version main declares. docker-publish.yml only publishes :latest / :sha- # on every main push, so this is the authoritative versioned image; it @@ -149,11 +135,10 @@ jobs: # back from here, to avoid two concurrent writers racing the cache tag. cache-from: type=registry,ref=ghcr.io/${{ steps.img.outputs.owner_lc }}/coder-eval-agent:buildcache - # Publish the SAME wheel+sdist to public PyPI (pkgs live alongside the private - # Azure Artifacts feed, which the release job above still populates). This runs - # as its own job so OIDC Trusted Publishing is scoped to a dedicated, - # environment-gated context on GitHub-hosted runners -- no PyPI token/secret is - # stored. Gated on the release job having actually cut a version. + # Publish the wheel+sdist to public PyPI. This runs as its own job so OIDC + # Trusted Publishing is scoped to a dedicated, environment-gated context on + # GitHub-hosted runners -- no PyPI token/secret is stored. Gated on the + # release job having actually cut a version. publish-pypi: name: Publish to PyPI needs: release