diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml deleted file mode 100644 index d59e2aa..0000000 --- a/.github/workflows/_release.yml +++ /dev/null @@ -1,271 +0,0 @@ -name: release -run-name: Release ${{ inputs.working-directory }} by @${{ github.actor }} -on: - workflow_call: - inputs: - working-directory: - required: true - type: string - description: "From which folder this pipeline executes" - workflow_dispatch: - inputs: - working-directory: - required: true - type: string - default: 'libs/langchain-ace' - dangerous-nonmaster-release: - required: false - type: boolean - default: false - description: "Release from a non-master branch (danger!)" - -env: - PYTHON_VERSION: "3.11" - UV_FROZEN: "true" - UV_NO_SYNC: "true" - -jobs: - build: - if: github.ref == 'refs/heads/main' || inputs.dangerous-nonmaster-release - runs-on: ubuntu-latest - - outputs: - pkg-name: ${{ steps.check-version.outputs.pkg-name }} - version: ${{ steps.check-version.outputs.version }} - - steps: - - uses: actions/checkout@v4 - - - name: Set up Python + uv - uses: "./.github/actions/uv_setup" - with: - python-version: ${{ env.PYTHON_VERSION }} - - # We want to keep this build stage *separate* from the release stage, - # so that there's no sharing of permissions between them. - # The release stage has trusted publishing and GitHub repo contents write access, - # and we want to keep the scope of that access limited just to the release job. - # Otherwise, a malicious `build` step (e.g. via a compromised dependency) - # could get access to our GitHub or PyPI credentials. - # - # Per the trusted publishing GitHub Action: - # > It is strongly advised to separate jobs for building [...] - # > from the publish job. - # https://github.com/pypa/gh-action-pypi-publish#non-goals - - name: Build project for distribution - run: uv build - working-directory: ${{ inputs.working-directory }} - - - name: Upload build - uses: actions/upload-artifact@v4 - with: - name: dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Check Version - id: check-version - shell: python - working-directory: ${{ inputs.working-directory }} - run: | - import os - import tomllib - with open("pyproject.toml", "rb") as f: - data = tomllib.load(f) - pkg_name = data["project"]["name"] - version = data["project"]["version"] - with open(os.environ["GITHUB_OUTPUT"], "a") as f: - f.write(f"pkg-name={pkg_name}\n") - f.write(f"version={version}\n") - - test-pypi-publish: - needs: - - build - uses: - ./.github/workflows/_test_release.yml - permissions: write-all - with: - working-directory: ${{ inputs.working-directory }} - dangerous-nonmaster-release: ${{ inputs.dangerous-nonmaster-release }} - secrets: inherit - - pre-release-checks: - needs: - - build - - test-pypi-publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - # We explicitly *don't* set up caching here. This ensures our tests are - # maximally sensitive to catching breakage. - # - # For example, here's a way that caching can cause a falsely-passing test: - # - Make the langchain package manifest no longer list a dependency package - # as a requirement. This means it won't be installed by `pip install`, - # and attempting to use it would cause a crash. - # - That dependency used to be required, so it may have been cached. - # When restoring the venv packages from cache, that dependency gets included. - # - Tests pass, because the dependency is present even though it wasn't specified. - # - The package is published, and it breaks on the missing dependency when - # used in the real world. - - - name: Set up Python + uv - uses: "./.github/actions/uv_setup" - id: setup-python - with: - python-version: ${{ env.PYTHON_VERSION }} - - - uses: actions/download-artifact@v4 - with: - name: dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Import dist package - shell: bash - working-directory: ${{ inputs.working-directory }} - env: - PKG_NAME: ${{ needs.build.outputs.pkg-name }} - VERSION: ${{ needs.build.outputs.version }} - # Here we use: - # - The default regular PyPI index as the *primary* index, meaning - # that it takes priority (https://pypi.org/simple) - # - The test PyPI index as an extra index, so that any dependencies that - # are not found on test PyPI can be resolved and installed anyway. - # (https://test.pypi.org/simple). This will include the PKG_NAME==VERSION - # package because VERSION will not have been uploaded to regular PyPI yet. - # - attempt install again after 5 seconds if it fails because there is - # sometimes a delay in availability on test pypi - run: | - uv venv - VIRTUAL_ENV=.venv uv pip install dist/*.whl - - # Replace all dashes in the package name with underscores, - # since that's how Python imports packages with dashes in the name. - IMPORT_NAME="$(echo "$PKG_NAME" | sed s/-/_/g)" - - uv run python -c "import $IMPORT_NAME; print(dir($IMPORT_NAME))" - - - name: Import test dependencies - run: uv sync --group test - working-directory: ${{ inputs.working-directory }} - - # Overwrite the local version of the package with the built version - - name: Import published package (again) - working-directory: ${{ inputs.working-directory }} - shell: bash - env: - PKG_NAME: ${{ needs.build.outputs.pkg-name }} - VERSION: ${{ needs.build.outputs.version }} - run: | - VIRTUAL_ENV=.venv uv pip install dist/*.whl - - - name: Run unit tests - run: make tests - working-directory: ${{ inputs.working-directory }} - - - name: Run integration tests - env: - PARTNER_API_KEY: ${{ secrets.PARTNER_API_KEY }} - run: | - uv sync --group test --group test_integration - make integration_tests - working-directory: ${{ inputs.working-directory }} - - - name: Get minimum versions - working-directory: ${{ inputs.working-directory }} - id: min-version - run: | - VIRTUAL_ENV=.venv uv pip install packaging requests - python_version="$(uv run python --version | awk '{print $2}')" - min_versions="$(uv run python $GITHUB_WORKSPACE/.github/scripts/get_min_versions.py pyproject.toml release $python_version)" - echo "min-versions=$min_versions" >> "$GITHUB_OUTPUT" - echo "min-versions=$min_versions" - - - name: Run unit tests with minimum dependency versions - if: ${{ steps.min-version.outputs.min-versions != '' }} - env: - MIN_VERSIONS: ${{ steps.min-version.outputs.min-versions }} - run: | - VIRTUAL_ENV=.venv uv pip install $MIN_VERSIONS - make tests - working-directory: ${{ inputs.working-directory }} - - publish: - needs: - - build - - test-pypi-publish - - pre-release-checks - runs-on: ubuntu-latest - environment: pypi - permissions: - # This permission is used for trusted publishing: - # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ - # - # Trusted publishing has to also be configured on PyPI for each package: - # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ - id-token: write - - defaults: - run: - working-directory: ${{ inputs.working-directory }} - - steps: - - uses: actions/checkout@v4 - - - name: Set up Python + uv - uses: "./.github/actions/uv_setup" - with: - python-version: ${{ env.PYTHON_VERSION }} - - - uses: actions/download-artifact@v4 - with: - name: dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - packages-dir: ${{ inputs.working-directory }}/dist/ - verbose: true - print-hash: true - # Temp workaround since attestations are on by default as of gh-action-pypi-publish v1\.11\.0 - attestations: false - - mark-release: - needs: - - build - - test-pypi-publish - - pre-release-checks - - publish - runs-on: ubuntu-latest - permissions: - # This permission is needed by `ncipollo/release-action` to - # create the GitHub release. - contents: write - - defaults: - run: - working-directory: ${{ inputs.working-directory }} - - steps: - - uses: actions/checkout@v4 - - - name: Set up Python + uv - uses: "./.github/actions/uv_setup" - with: - python-version: ${{ env.PYTHON_VERSION }} - - - uses: actions/download-artifact@v4 - with: - name: dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Create Release - uses: ncipollo/release-action@v1 - with: - artifacts: "dist/*" - token: ${{ secrets.GITHUB_TOKEN }} - draft: false - generateReleaseNotes: true - tag: ${{ inputs.working-directory }}/v${{ needs.build.outputs.version }} - commit: ${{ github.sha }} diff --git a/.github/workflows/_test_release.yml b/.github/workflows/_test_release.yml deleted file mode 100644 index 0013feb..0000000 --- a/.github/workflows/_test_release.yml +++ /dev/null @@ -1,107 +0,0 @@ -name: test-release - -on: - workflow_call: - inputs: - working-directory: - required: true - type: string - description: "From which folder this pipeline executes" - dangerous-nonmaster-release: - required: false - type: boolean - default: false - description: "Release from a non-master branch (danger!)" - -env: - PYTHON_VERSION: "3.11" - UV_FROZEN: "true" - -jobs: - build: - if: github.ref == 'refs/heads/main' || inputs.dangerous-nonmaster-release - runs-on: ubuntu-latest - - outputs: - pkg-name: ${{ steps.check-version.outputs.pkg-name }} - version: ${{ steps.check-version.outputs.version }} - - steps: - - uses: actions/checkout@v4 - - - name: Set up Python + uv - uses: "./.github/actions/uv_setup" - with: - python-version: ${{ env.PYTHON_VERSION }} - - # We want to keep this build stage *separate* from the release stage, - # so that there's no sharing of permissions between them. - # The release stage has trusted publishing and GitHub repo contents write access, - # and we want to keep the scope of that access limited just to the release job. - # Otherwise, a malicious `build` step (e.g. via a compromised dependency) - # could get access to our GitHub or PyPI credentials. - # - # Per the trusted publishing GitHub Action: - # > It is strongly advised to separate jobs for building [...] - # > from the publish job. - # https://github.com/pypa/gh-action-pypi-publish#non-goals - - name: Build project for distribution - run: uv build - working-directory: ${{ inputs.working-directory }} - - - name: Upload build - uses: actions/upload-artifact@v4 - with: - name: test-dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Check Version - id: check-version - shell: python - working-directory: ${{ inputs.working-directory }} - run: | - import os - import tomllib - with open("pyproject.toml", "rb") as f: - data = tomllib.load(f) - pkg_name = data["project"]["name"] - version = data["project"]["version"] - with open(os.environ["GITHUB_OUTPUT"], "a") as f: - f.write(f"pkg-name={pkg_name}\n") - f.write(f"version={version}\n") - - publish: - needs: - - build - runs-on: ubuntu-latest - environment: testpypi - permissions: - # This permission is used for trusted publishing: - # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ - # - # Trusted publishing has to also be configured on PyPI for each package: - # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ - id-token: write - - steps: - - uses: actions/checkout@v4 - - - uses: actions/download-artifact@v4 - with: - name: test-dist - path: ${{ inputs.working-directory }}/dist/ - - - name: Publish to test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - packages-dir: ${{ inputs.working-directory }}/dist/ - verbose: true - print-hash: true - repository-url: https://test.pypi.org/legacy/ - - # We overwrite any existing distributions with the same name and version. - # This is *only for CI use* and is *extremely dangerous* otherwise! - # https://github.com/pypa/gh-action-pypi-publish#tolerating-release-package-file-duplicates - skip-existing: true - # Temp workaround since attestations are on by default as of gh-action-pypi-publish v1.11.0 - attestations: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 57a4a70..78d13ee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,23 +1,73 @@ -name: release +name: Publish to TestPyPI and PyPI on: - workflow_dispatch: - inputs: - working-directory: - required: true - type: string - default: "libs/langchain-acm" - description: "From which folder this pipeline executes" - dangerous-nonmaster-release: - required: false - type: boolean - default: false - description: "Release from a non-master branch (danger!)" + push: + tags: + - "v*" + +env: + WORKING_DIRECTORY: "libs/langchain-acm" jobs: - release: - uses: ./.github/workflows/_release.yml - with: - working-directory: ${{ inputs.working-directory }} - dangerous-nonmaster-release: ${{ inputs.dangerous-nonmaster-release }} - secrets: inherit + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uv + uses: "./.github/actions/uv_setup" + with: + python-version: "3.11" + + - name: Build dists + run: uv build + working-directory: ${{ env.WORKING_DIRECTORY }} + + - name: Upload dist + uses: actions/upload-artifact@v4 + with: + name: dist + path: ${{ env.WORKING_DIRECTORY }}/dist/ + + publish-testpypi: + needs: build + runs-on: ubuntu-latest + environment: + name: testpypi + url: https://test.pypi.org/p/langchain-acm + permissions: + id-token: write + steps: + - uses: actions/checkout@v4 + + - uses: actions/download-artifact@v4 + with: + name: dist + path: dist + + - name: Publish to TestPyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + verbose: true + + publish-pypi: + needs: build + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/langchain-acm + permissions: + id-token: write + steps: + - uses: actions/checkout@v4 + + - uses: actions/download-artifact@v4 + with: + name: dist + path: dist + + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true