fix: move publishing job to trigger-release.yaml#13
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThe release publish flow now runs inline in the triggering workflow, building artifacts and publishing to PyPI directly. The reusable workflow trigger is removed from ChangesRelease workflow restructuring
Estimated code review effort: 3 (Moderate) | ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
.github/workflows/trigger-release.yaml (2)
90-95: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueInconsistent action versions within the same workflow file.
bump-versionpinsactions/checkout@v6andastral-sh/setup-uv@v7, whilepublishusesactions/checkout@v4andastral-sh/setup-uv@v5(unpinned to a specificversion:). Worth aligning these to reduce confusion/behavioral drift between jobs in the same file.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/trigger-release.yaml around lines 90 - 95, The publish job in the trigger-release workflow is using older/inconsistent action versions compared with the bump-version job, so align the versions across both jobs. Update the actions used in the publish steps that reference actions/checkout and astral-sh/setup-uv so they match the newer versions already used elsewhere in this workflow, and keep the uv setup configuration consistent by explicitly pinning the same version style in the setup-uv step.
86-104: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valuePublish job logic now duplicated across two files.
The build/publish steps here are now a near-exact copy of the
publishjob still present inrelease-pypi.yaml(per the provided context snippet). This is presumably intentional to satisfy PyPI Trusted Publisher's workflow-identity requirement, but it means future changes (e.g. bumpinguv/gh-action-pypi-publishversions, adding build flags) must be applied in both places or they'll drift.Consider adding a comment in both files pointing at each other so maintainers remember to keep them in sync.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/trigger-release.yaml around lines 86 - 104, The publish job steps in the release workflow are duplicated with the existing publish job, so update the workflow definitions to include clear comments in both places pointing to the other file and noting they must stay in sync. Use the publish job blocks in trigger-release and release-pypi as the anchors for where to add the cross-reference comments so future changes to the Build and Publish to PyPI steps are made consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/trigger-release.yaml:
- Around line 90-93: The actions/checkout step in the release workflow is
leaving credentials persisted in the local git config, which is unnecessary for
this job. Update the checkout configuration in the release workflow’s checkout
step to disable credential persistence on the actions/checkout@v4 invocation,
since the later uv build step should not inherit the GITHUB_TOKEN. Use the
existing checkout block that sets ref from
needs.bump-version.outputs.new_version and add the no-persist-credentials
setting there.
- Around line 94-95: The Install uv step uses astral-sh/setup-uv@v5 with caching
enabled by default, which is unnecessary for this release job and increases
cache-poisoning risk. Update the setup-uv usage in the release workflow to
explicitly disable caching, keeping the one-shot publish job focused on
installation only; refer to the Install uv step and the astral-sh/setup-uv
action configuration.
- Around line 84-89: The publish job’s job-level permissions block currently
overrides the default token scopes, so `actions/checkout@v4` in the `publish`
job loses repository read access. Update the `publish` job permissions in
`trigger-release.yaml` to include `contents: read` alongside `id-token: write`,
keeping the existing job name and steps unchanged.
---
Nitpick comments:
In @.github/workflows/trigger-release.yaml:
- Around line 90-95: The publish job in the trigger-release workflow is using
older/inconsistent action versions compared with the bump-version job, so align
the versions across both jobs. Update the actions used in the publish steps that
reference actions/checkout and astral-sh/setup-uv so they match the newer
versions already used elsewhere in this workflow, and keep the uv setup
configuration consistent by explicitly pinning the same version style in the
setup-uv step.
- Around line 86-104: The publish job steps in the release workflow are
duplicated with the existing publish job, so update the workflow definitions to
include clear comments in both places pointing to the other file and noting they
must stay in sync. Use the publish job blocks in trigger-release and
release-pypi as the anchors for where to add the cross-reference comments so
future changes to the Build and Publish to PyPI steps are made consistently.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cc2fd274-1a7b-4423-8af2-9892da967dd4
📒 Files selected for processing (2)
.github/workflows/release-pypi.yaml.github/workflows/trigger-release.yaml
1974113 to
6b5cb96
Compare
This fixes the attestation issue with pypi trusted publisher. JIRA: trivial
6b5cb96 to
f5d8c59
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-pypi.yaml:
- Around line 12-13: The publish job in the release workflow only grants
contents: read, which is insufficient for trusted PyPI publishing. Update the
publish job’s permissions to include id-token: write alongside the existing
contents permission so pypa/gh-action-pypi-publish can use OIDC during
workflow_dispatch releases.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e6219228-eeaa-4804-a4c3-07f808b538a7
📒 Files selected for processing (2)
.github/workflows/release-pypi.yaml.github/workflows/trigger-release.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/trigger-release.yaml
This fixes the attestation issue with pypi trusted publisher.
JIRA: trivial
Summary by CodeRabbit