Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions .github/workflows/release-splunk-ao-a2a-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
name: Release splunk-ao-a2a to Test PyPI

on:
pull_request: # Publishes a .dev pre-release on every PR push

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 major (design): The pull_request trigger has no paths filter, so this workflow runs — and publishes a new 0.1.0.dev<run_number> to Test PyPI — on every PR to the repo, including PRs that touch only splunk-ao-adk/, the repo root, docs, or other CI files. That both burns Test PyPI version numbers on unrelated changes and duplicates the test run already performed by ci-tests-splunk-ao-a2a.yaml. The sibling CI workflow scopes itself with paths: ['splunk-ao-a2a/**', ...]; this one should do the same so a dev release is only cut when the package actually changes.

Suggested change
pull_request: # Publishes a .dev pre-release on every PR push
pull_request: # Publishes a .dev pre-release on every PR push
paths:
- 'splunk-ao-a2a/**'
- '.github/workflows/release-splunk-ao-a2a-test.yaml'

🤖 Generated by Astra

workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0, 1.2.3rc1, 1.2.3.post1). Must be an explicit version. Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string

Comment on lines +3 to +11

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 minor (design): Unlike every sibling workflow (ci-tests.yaml, ci-tests-splunk-ao-a2a.yaml), this one has no concurrency group. Pushing several commits to a PR in quick succession will launch overlapping runs that each publish a distinct .dev<run_number> to Test PyPI. Add a concurrency group with cancel-in-progress: true to match the existing pattern and avoid redundant publishes.

Suggested change
on:
pull_request: # Publishes a .dev pre-release on every PR push
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0, 1.2.3rc1, 1.2.3.post1). Must be an explicit version. Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string
on:
pull_request: # Publishes a .dev pre-release on every PR push
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0, 1.2.3rc1, 1.2.3.post1). Must be an explicit version. Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

🤖 Generated by Astra

jobs:
test:
name: Run tests
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
defaults:
run:
working-directory: splunk-ao-a2a
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.11'

- name: Install uv
uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
with:
enable-cache: true
cache-dependency-glob: "**/splunk-ao-a2a/pyproject.toml"

- name: Install dependencies
run: uv sync --dev

- name: Run type check
run: uv run mypy src/

- name: Run tests
run: uv run pytest --cov=splunk_ao_a2a --cov-report=xml

build:
name: Build package
needs: test # Only build if tests pass
runs-on: ubuntu-latest
permissions:
contents: read
defaults:
run:
working-directory: splunk-ao-a2a
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.11'

# PR builds: append .dev<run_number> so the clean version is never
# consumed on Test PyPI and can still be used for the real release.
- name: Set pre-release version
if: github.event_name == 'pull_request'
run: |
VERSION_BASE=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
PRE_VERSION="${VERSION_BASE}.dev${{ github.run_number }}"
sed -i "s/^version = \".*\"/version = \"${PRE_VERSION}\"/" pyproject.toml
sed -i "s/__version__ = \".*\"/__version__ = \"${PRE_VERSION}\"/" src/splunk_ao_a2a/_version.py

# Manual dispatch: validate and use the supplied version if provided.
- name: Override version
if: github.event_name == 'workflow_dispatch' && inputs.version != ''
env:
INPUT_VERSION: ${{ inputs.version }}
run: |
if ! printf '%s' "$INPUT_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+((a|b|rc)[0-9]+)?(\.post[0-9]+)?(\.dev[0-9]+)?$'; then
echo "::error::Invalid version '${INPUT_VERSION}'. Expected an explicit version like 0.1.0, 1.2.3rc1, or 1.2.3.post1. Bump keywords like 'patch' or 'major' are not accepted."
exit 1
fi
sed -i "s/^version = \".*\"/version = \"${INPUT_VERSION}\"/" pyproject.toml
sed -i "s/__version__ = \".*\"/__version__ = \"${INPUT_VERSION}\"/" src/splunk_ao_a2a/_version.py

- name: Get current version
id: get-version
run: |
VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"

- name: Build package
run: |
pip install build
python -m build

- name: Upload distributables
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: splunk-ao-a2a-${{ steps.get-version.outputs.version }}
path: splunk-ao-a2a/dist/

publish:
name: Publish to Test PyPI
needs: build # Only publish if build succeeds (which requires tests passing)
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC trusted publishing
environment:
name: testpypi
url: https://test.pypi.org/project/splunk-ao-a2a/
Comment on lines +104 to +112

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 major (design): Because this runs on pull_request (not pull_request_target), PRs opened from forks run with a read-only GITHUB_TOKEN and are not granted id-token: write — GitHub downgrades OIDC permissions for fork PRs. The publish job will therefore fail for every external-contributor PR (the repo already has 2 forks), producing a persistent red check on those PRs. Consider gating the publish job so it is skipped for fork PRs, e.g. if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository, so fork PRs still run test/build but don't attempt (and fail) the publish. This also avoids attempting a trusted-publish on untrusted code.

🤖 Generated by Astra


steps:
- name: Download distributables
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: splunk-ao-a2a-${{ needs.build.outputs.version }}
path: dist/

- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://test.pypi.org/legacy/
verbose: true
print-hash: true
Loading