bedrock-agentcore-sdk-python/.github/workflows/release-publish.yml at main · afarntrog/bedrock-agentcore-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Release Publish

on:
  pull_request:
    types: [closed]
    branches: [main]

permissions:
  contents: write

jobs:
  build:
    name: Build from Main
    if: >
      github.event.pull_request.merged == true &&
      startsWith(github.event.pull_request.head.ref, 'release/v')
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}

    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.10'

      - name: Install uv
        run: |
          curl -LsSf https://astral.sh/uv/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Build and check package
        run: |
          uv venv
          source .venv/bin/activate
          uv pip install build twine
          uv build
          twine check dist/*

      - name: Get version
        id: version
        run: |
          VERSION=$(ls dist/*.whl | sed -n 's/.*-\([0-9.]*\)-.*/\1/p')
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "Version: $VERSION"

      - name: Upload artifacts
        uses: actions/upload-artifact@v7
        with:
          name: dist
          path: dist/

  release-approval:
    name: Release Approval
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: pypi-approval

    steps:
      - name: Approval checkpoint
        env:
          VERSION: ${{ needs.build.outputs.version }}
        run: |
          echo "✅ Build successful for v$VERSION"
          echo "📦 Package ready for PyPI publication"
          echo ""
          echo "⚠️  MANUAL APPROVAL REQUIRED"
          echo "Verify version and changelog before approving."

  publish-pypi:
    name: Publish to PyPI
    needs: [build, release-approval]
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/project/bedrock-agentcore/

    # id-token: write is required for OIDC Trusted Publishing.
    # This replaces the PYPI_API_TOKEN secret
    permissions:
      id-token: write
      contents: write

    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Download artifacts
        uses: actions/download-artifact@v8
        with:
          name: dist
          path: dist/

      # Uses the PyPI JSON API — stable and versioned.
      # pip index versions output format is not guaranteed stable across
      # pip versions and should not be used in CI.
      - name: Check if version already exists on PyPI
        env:
          VERSION: ${{ needs.build.outputs.version }}
        run: |
          PYPI_VERSIONS=$(curl -sf https://pypi.org/pypi/bedrock-agentcore/json \
            | python3 -c "import sys, json; releases = json.load(sys.stdin)['releases']; print('\n'.join(releases.keys()))")

          if echo "$PYPI_VERSIONS" | grep -qx "$VERSION"; then
            echo "❌ ERROR: Version $VERSION already exists on PyPI!"
            exit 1
          fi
          echo "✓ Version $VERSION is not on PyPI, safe to publish"

      # automatically detects and uses Trusted Publishing via OIDC when
      # no token is provided and id-token: write permission is set.
      - name: Publish to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          skip-existing: false
          verbose: true

      - name: Wait for PyPI availability
        env:
          VERSION: ${{ needs.build.outputs.version }}
        run: |
          echo "Waiting for package to be available on PyPI..."
          for i in {1..10}; do
            PYPI_VERSIONS=$(curl -sf https://pypi.org/pypi/bedrock-agentcore/json \
              | python3 -c "import sys, json; releases = json.load(sys.stdin)['releases']; print('\n'.join(releases.keys()))" 2>/dev/null)
            if echo "$PYPI_VERSIONS" | grep -qx "$VERSION"; then
              echo "✓ Package version $VERSION is now available on PyPI"
              break
            fi
            echo "Attempt $i/10: Package not yet available, waiting 30s..."
            sleep 30
          done

      - name: Create and push tag
        env:
          VERSION: ${{ needs.build.outputs.version }}
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git tag -a "v$VERSION" -m "Release v$VERSION"
          git push origin "v$VERSION"

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: v${{ needs.build.outputs.version }}
          name: Bedrock AgentCore SDK v${{ needs.build.outputs.version }}
          files: dist/*
          generate_release_notes: true
          body: |
            ## Installation
            ```bash
            pip install bedrock-agentcore==${{ needs.build.outputs.version }}
            ```

            ## What's Changed
            See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/v${{ needs.build.outputs.version }}/CHANGELOG.md) for details.