Skip to content

fix: move publishing job to trigger-release.yaml#13

Merged
janmatzek merged 1 commit into
gooddata:masterfrom
janmatzek:jmat/fix-trusted-publisher-release
Jul 3, 2026
Merged

fix: move publishing job to trigger-release.yaml#13
janmatzek merged 1 commit into
gooddata:masterfrom
janmatzek:jmat/fix-trusted-publisher-release

Conversation

@janmatzek

@janmatzek janmatzek commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This fixes the attestation issue with pypi trusted publisher.

JIRA: trivial

Summary by CodeRabbit

  • Chores
    • Updated the release publishing workflow to support manual releases only, with clearer version tag input.
    • Adjusted workflow and job permissions to allow token-based publishing while limiting repository access.
    • Updated release steps to avoid persisting checkout credentials.
    • Disabled build caching for the publishing process, built the package into a distribution folder, and published directly to PyPI with verbose output.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 74fb9476-3074-4d11-9a0a-195c3d18d42e

📥 Commits

Reviewing files that changed from the base of the PR and between 1974113 and f5d8c59.

📒 Files selected for processing (2)
  • .github/workflows/release-pypi.yaml
  • .github/workflows/trigger-release.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/trigger-release.yaml
  • .github/workflows/release-pypi.yaml

📝 Walkthrough

Walkthrough

The release publish flow now runs inline in the triggering workflow, building artifacts and publishing to PyPI directly. The reusable workflow trigger is removed from release-pypi.yaml, and its dispatch input and job setup are updated.

Changes

Release workflow restructuring

Layer / File(s) Summary
Publish job setup
.github/workflows/trigger-release.yaml
The publish job defines runner and permissions inline, checks out the release tag with credentials disabled, and installs uv with caching disabled.
Inline build and publish
.github/workflows/trigger-release.yaml
The workflow builds the package into dist/ with uv and publishes those artifacts to PyPI inline with verbose output.
release-pypi.yaml trigger update
.github/workflows/release-pypi.yaml
Removes workflow_call, keeps workflow_dispatch with an explicit string tag input, and disables checkout credentials plus uv caching in the reusable workflow job.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

A rabbit bakes the release with care,
Builds in dist/ and sends it there,
No reusable hop, just steps so bright,
Tag in hand, it publishes right.
Thump thump—PyPI night! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: moving the publishing job into trigger-release.yaml to address the PyPI publishing flow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
.github/workflows/trigger-release.yaml (2)

90-95: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Inconsistent action versions within the same workflow file.

bump-version pins actions/checkout@v6 and astral-sh/setup-uv@v7, while publish uses actions/checkout@v4 and astral-sh/setup-uv@v5 (unpinned to a specific version:). Worth aligning these to reduce confusion/behavioral drift between jobs in the same file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trigger-release.yaml around lines 90 - 95, The publish job
in the trigger-release workflow is using older/inconsistent action versions
compared with the bump-version job, so align the versions across both jobs.
Update the actions used in the publish steps that reference actions/checkout and
astral-sh/setup-uv so they match the newer versions already used elsewhere in
this workflow, and keep the uv setup configuration consistent by explicitly
pinning the same version style in the setup-uv step.

86-104: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Publish job logic now duplicated across two files.

The build/publish steps here are now a near-exact copy of the publish job still present in release-pypi.yaml (per the provided context snippet). This is presumably intentional to satisfy PyPI Trusted Publisher's workflow-identity requirement, but it means future changes (e.g. bumping uv/gh-action-pypi-publish versions, adding build flags) must be applied in both places or they'll drift.

Consider adding a comment in both files pointing at each other so maintainers remember to keep them in sync.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trigger-release.yaml around lines 86 - 104, The publish
job steps in the release workflow are duplicated with the existing publish job,
so update the workflow definitions to include clear comments in both places
pointing to the other file and noting they must stay in sync. Use the publish
job blocks in trigger-release and release-pypi as the anchors for where to add
the cross-reference comments so future changes to the Build and Publish to PyPI
steps are made consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/trigger-release.yaml:
- Around line 90-93: The actions/checkout step in the release workflow is
leaving credentials persisted in the local git config, which is unnecessary for
this job. Update the checkout configuration in the release workflow’s checkout
step to disable credential persistence on the actions/checkout@v4 invocation,
since the later uv build step should not inherit the GITHUB_TOKEN. Use the
existing checkout block that sets ref from
needs.bump-version.outputs.new_version and add the no-persist-credentials
setting there.
- Around line 94-95: The Install uv step uses astral-sh/setup-uv@v5 with caching
enabled by default, which is unnecessary for this release job and increases
cache-poisoning risk. Update the setup-uv usage in the release workflow to
explicitly disable caching, keeping the one-shot publish job focused on
installation only; refer to the Install uv step and the astral-sh/setup-uv
action configuration.
- Around line 84-89: The publish job’s job-level permissions block currently
overrides the default token scopes, so `actions/checkout@v4` in the `publish`
job loses repository read access. Update the `publish` job permissions in
`trigger-release.yaml` to include `contents: read` alongside `id-token: write`,
keeping the existing job name and steps unchanged.

---

Nitpick comments:
In @.github/workflows/trigger-release.yaml:
- Around line 90-95: The publish job in the trigger-release workflow is using
older/inconsistent action versions compared with the bump-version job, so align
the versions across both jobs. Update the actions used in the publish steps that
reference actions/checkout and astral-sh/setup-uv so they match the newer
versions already used elsewhere in this workflow, and keep the uv setup
configuration consistent by explicitly pinning the same version style in the
setup-uv step.
- Around line 86-104: The publish job steps in the release workflow are
duplicated with the existing publish job, so update the workflow definitions to
include clear comments in both places pointing to the other file and noting they
must stay in sync. Use the publish job blocks in trigger-release and
release-pypi as the anchors for where to add the cross-reference comments so
future changes to the Build and Publish to PyPI steps are made consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc2fd274-1a7b-4423-8af2-9892da967dd4

📥 Commits

Reviewing files that changed from the base of the PR and between ac75c8a and 62a5eff.

📒 Files selected for processing (2)
  • .github/workflows/release-pypi.yaml
  • .github/workflows/trigger-release.yaml

Comment thread .github/workflows/trigger-release.yaml
Comment thread .github/workflows/trigger-release.yaml Outdated
Comment thread .github/workflows/trigger-release.yaml Outdated
@janmatzek janmatzek force-pushed the jmat/fix-trusted-publisher-release branch 2 times, most recently from 1974113 to 6b5cb96 Compare July 2, 2026 07:52
This fixes the attestation issue with pypi trusted publisher.

JIRA: trivial
@janmatzek janmatzek force-pushed the jmat/fix-trusted-publisher-release branch from 6b5cb96 to f5d8c59 Compare July 2, 2026 07:53

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-pypi.yaml:
- Around line 12-13: The publish job in the release workflow only grants
contents: read, which is insufficient for trusted PyPI publishing. Update the
publish job’s permissions to include id-token: write alongside the existing
contents permission so pypa/gh-action-pypi-publish can use OIDC during
workflow_dispatch releases.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e6219228-eeaa-4804-a4c3-07f808b538a7

📥 Commits

Reviewing files that changed from the base of the PR and between 62a5eff and 1974113.

📒 Files selected for processing (2)
  • .github/workflows/release-pypi.yaml
  • .github/workflows/trigger-release.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/trigger-release.yaml

Comment thread .github/workflows/release-pypi.yaml
@janmatzek janmatzek enabled auto-merge (rebase) July 2, 2026 08:21
@janmatzek janmatzek merged commit 5fd39e4 into gooddata:master Jul 3, 2026
1 of 2 checks passed
@janmatzek janmatzek deleted the jmat/fix-trusted-publisher-release branch July 3, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants