Auto-publish Python packages to PyPI on main branch version change

This commit adds a GitHub Actions workflow that automatically publishes
the Python schema packages to PyPI when they have a version number
change that is pushed to the main branch.*

Packages are published in topological order, which is for now determined
by the hard-coded `def level` function in `scripts/package-versions.py`.

Eventually, we also want to auto-cut a GitHub Release after a successful
publish, but let's do that later.

*: For now, PyPI = Overture internal CodeArtifact repo, but eventually
it will be public PyPI.

Author: vcschapp

.github/workflows/publish-python-packages.yaml

@@ -0,0 +1,95 @@
+name: Publish Python packages to PyPI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '**/pyproject.toml'
+      - 'packages/**/__about__.py'
+    inputs:
+      aws_iam_role_name:
+        description: The name of the IAM role to assume for accessing CodeArtifact
+        type: string
+        required: false
+        default: GithubActions_Schema_CodeArtifact_Publish
+      domain:
+        description: The CodeArtifact domain name
+        type: string
+        required: false
+        default: overture-pypi
+      repository:
+        description: The CodeArtifact repository name
+        type: string
+        required: false
+        default: overture
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check:
+    if: github.event.repository.full_name == github.repository
+    uses: ./.github/workflows/reusable-check-python-package-versions.yaml
+    with:
+      before_commit: ${{ github.event.before }}
+      after_commit: ${{ github.event.after }}
+
+  publish:
+    needs: [check]
+    if: github.event.repository.full_name == github.repository && needs.check.outputs.num_changed_packages > 0
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include: ${{ fromJson(needs.check.outputs.changed_packages) }}
+    steps:
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: latest
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Sync code to make packages visible to Python
+        run: uv sync --all-packages
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::505071440022:role/GithubActions_Schema_CodeArtifact_Publish
+          role-session-name: GitHubActions_${{github.job}}_${{github.run_id}}
+
+      - name: Get CodeArtifact publish URL
+        id: get-code-artifact-params
+        run: |
+          echo 'token<<EOF' >> $GITHUB_OUTPUT
+          ./.github/workflows/scripts/code-artifact.sh token \
+            505071440022 us-west-2 overture-pypi >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+          echo 'publish_url<<EOF' >> $GITHUB_OUTPUT
+          ./.github/workflows/scripts/code-artifact.sh publish-url \
+            505071440022 us-west-2 overture-pypi overture >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+
+      - name: Publish package ${{ matrix.package }} version ${{ matrix.after }} to PyPI
+        run: |
+          package="${{ matrix.package }}"
+          before="${{ matrix.before }}"
+          after="${{ matrix.after }}"
+          printf 'Publishing package %s version %s to PyPI (previous version %s)...\n' "$package" "$after" "$before"
+          uv build --package "$package"
+          wheel="dist/${package//-/_}-${after}-py3-none-any.whl"
+          if [ ! -f "$wheel" ]; then
+            echo "    Wheel file [$wheel] not found. Aborting!"
+            exit 1
+          fi
+          tarball="dist/${package//-/_}-${after}.tar.gz"
+          if [ ! -f "$tarball" ]; then
+            echo "    Source tarball file [$tarball] not found. Aborting!"
+            exit 1
+          fi
+          uv publish "$wheel" "$tarball" \
+             -t "${{ steps.get-code-artifact-params.outputs.token }}" \
+            --publish-url "${{ steps.get-code-artifact-params.outputs.publish_url }}"

.github/workflows/reusable-check-python-package-versions.yaml

@@ -15,22 +15,56 @@ on:
             PR or the latest commit in a push.
         type: string
         required: true
+      aws_account_id:
+        description: The AWS account ID that owns the CodeArtifact domain
+        type: string
+        required: false
+        default: 505071440022
+      aws_region:
+        description: The AWS region where the CodeArtifact repository is hosted
+        type: string
+        required: false
+        default: us-west-2
+      aws_iam_role_name:
+        description: The name of the IAM role to assume for accessing CodeArtifact
+        type: string
+        required: false
+        default: GithubActions_Schema_CodeArtifact_ReadOnly
+      domain:
+        description: The CodeArtifact domain name
+        type: string
+        required: false
+        default: overture-pypi
+      repository:
+        description: The CodeArtifact repository name
+        type: string
+        required: false
+        default: overture
+    outputs:
+      changed_packages:
+        description: >-
+          A JSON array of packages with changed versions, including package name, old version, and
+          new version, in the format: `[ {"package": "p1", "before": "v1", "after": "v2"}, ... ]`
+        value: ${{ jobs.check-python-package-versions.outputs.changed_packages }}
+      num_changed_packages:
+        description: The number of packages with changed versions
+        value: ${{ jobs.check-python-package-versions.outputs.num_changed_packages }}
 
-jobs:
-  get-index-url:
-    uses: ./.github/workflows/reusable-get-code-artifact-index-url.yaml
 
+jobs:
   check-python-package-versions:
-    needs: get-index-url
     runs-on: ubuntu-latest
+    outputs:
+      changed_packages: ${{ steps.save-changes.outputs.changed_packages }}
+      num_changed_packages: ${{ steps.save-changes.outputs.num_changed_packages }}
     steps:
       - name: Install jq
         run: sudo apt-get update && sudo apt-get install -y jq
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4
         with:
-          version: "latest"
+          version: latest
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -69,13 +103,40 @@ jobs:
       - name: Print changed versions
         run: cat /tmp/package-version-diff.json
 
+      - name: Save changed versions as output
+        id: save-changes
+        run: |
+          echo 'changed_packages<<EOF' >> $GITHUB_OUTPUT
+          cat /tmp/package-version-diff.json >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+          printf 'num_changed_packages=%s\n' "$(jq -c '. | length' /tmp/package-version-diff.json)" >> $GITHUB_OUTPUT
+
+      - name: Configure AWS credentials
+        if: steps.save-changes.outputs.num_changed_packages > 0
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.aws_region }}
+          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.aws_iam_role_name }}
+          role-session-name: GitHubActions_${{github.job}}_${{github.run_id}}
+
+      - name: Get CodeArtifact index URL
+        id: get-code-artifact-index-url
+        if: steps.save-changes.outputs.num_changed_packages > 0
+        run: |
+          echo 'index_url<<EOF' >> $GITHUB_OUTPUT
+          ./.github/workflows/scripts/code-artifact.sh index-url \
+            "${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \
+            "${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+
       - name: Fail if any of the new versions already exist in the repo
+        if: steps.save-changes.outputs.num_changed_packages > 0
         run: |
           jq -c '.[]' /tmp/package-version-diff.json | while read -r entry; do
             package=$(echo "$entry" | jq -r '.package')
             after=$(echo "$entry" | jq -r '.after')
             exit_code=0
-            output=$(uv run pip download "${package}==${after}" --index-url "${{ needs.get-index-url.outputs.index_url }}simple/" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
+            output=$(uv run pip download "${package}==${after}" --index-url "${{ steps.get-code-artifact-index-url.outputs.index_url }}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
             if [[ $exit_code -eq 0 || (
               "${output,,}" != *"could not find a version"* &&
               "${output,,}" != *"no matching distributions"*

.github/workflows/reusable-get-code-artifact-index-url.yaml

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+readonly subcommand="$1"
+
+function token() {
+  local -r aws_account_id="$1"
+  local -r aws_region="$2"
+  local -r domain="$3"
+
+  aws codeartifact get-authorization-token \
+    --region "$aws_region" \
+    --domain "$domain" \
+    --domain-owner "$aws_account_id" \
+    --query authorizationToken \
+    --output text
+}
+
+function repo_url() {
+  local -r token="$1"
+  local -r credentials="${token:+aws:$token@}"
+  local -r aws_account_id="$2"
+  local -r aws_region="$3"
+  local -r domain="$4"
+  local -r repository="$5"
+  local -r suffix="$6"
+
+  printf "https://%s%s-%s.d.codeartifact.%s.amazonaws.com/pypi/%s%s\n" \
+    "$credentials" "$domain" "$aws_account_id" "$aws_region" "$repository" "$suffix"
+}
+
+case "$subcommand" in
+  token)
+    if [ $# -ne 4 ]; then
+      >&2 echo "Usage: $0 token <aws_account_id> <aws_region> <domain>"
+      exit 1
+    fi
+    token "$2" "$3" "$4"
+    ;;
+
+  index-url|publish-url)
+    if [ $# -ne 5 ]; then
+      >&2 echo "Usage: $0 $subcommand <aws_account_id> <aws_region> <domain> <repository>"
+      exit 1
+    fi
+
+    if [ "$subcommand" = "index-url" ]; then
+      repo_url "$(token "$2" "$3" "$4")" "$2" "$3" "$4" "$5" "/simple/"
+    else
+      repo_url "" "$2" "$3" "$4" "$5" ""
+    fi
+    ;;
+
+  *)
+    >&2 echo "Unknown subcommand: ${subcommand:-<missing>}"
+    >&2 echo "Valid subcommands: token | index-url | publish-url"
+    exit 1
+    ;;
+esac

.github/workflows/scripts/code-artifact.sh

@@ -3,6 +3,7 @@
 from importlib import metadata
 from pathlib import Path
 import json
+import re
 import sys
 
 
@@ -35,6 +36,9 @@ def compare(before_file: str, after_file: str):
     Compare two JSON files containing package versions and print the packages that have a version
     number change as a JSON array.
 
+    The output JSON array is sorted in topological order by package name, so those changed packages
+    that do not depend on other changed packages appear first.
+
     Form of the JSON array:
 
         [ {"package": "p1", "before": "v1", "after": "v2"}, ... ]
@@ -48,7 +52,23 @@ def compare(before_file: str, after_file: str):
     before_dict = {item["package"]: item["version"] for item in before_array}
     after_dict = {item["package"]: item["version"] for item in after_array}
 
-    combined_keys = sorted(list(set(before_dict.keys()) | set(after_dict.keys())))
+    def level(package: str) -> int:
+        """
+        Return the level of a package for topological sorting.
+
+        This is brittle and hard to keep in sync, so we should replace it with a version that
+        dynamically computes dependencies in the future.
+        """
+        if package == "overture-schema-system":
+            return 0
+        elif package in ["overture-schema-core"]:
+            return 1
+        elif re.fullmatch(r'overture-schema-.*-theme', package) or package in ["overture-schema", "overture-schema-cli", "overture-schema-annex"]:
+            return 2
+        else:
+            raise ValueError(f"Unknown package for level computation: {package}")
+
+    combined_keys = sorted(list(set(before_dict.keys()) | set(after_dict.keys())), key=level)
 
     changed_packages = []
     for package in combined_keys:

.github/workflows/scripts/package-versions.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.1.1.dev1"

packages/overture-schema-addresses-theme/src/overture/schema/addresses/__about__.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.1.1.dev1"

packages/overture-schema-annex/src/overture/schema/__about__.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.1.1.dev1"

packages/overture-schema-base-theme/src/overture/schema/base/__about__.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.1.1.dev1"

packages/overture-schema-buildings-theme/src/overture/schema/buildings/__about__.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.1.1.dev1"