ci(infra): drive contrib releases from discovery

.github/workflows/release.yaml

@@ -8,6 +8,10 @@ jobs:
     permissions:
       contents: write
       id-token: write
+    outputs:
+      released: ${{ steps.semantic_release.outputs.released }}
+      tag: ${{ steps.semantic_release.outputs.tag }}
+      contrib_matrix: ${{ steps.contrib_matrix.outputs.matrix }}
 
     steps:
       - name: Checkout
@@ -25,8 +29,20 @@ jobs:
       - name: Setup UV
         uses: astral-sh/setup-uv@v4
 
+      - name: Verify contrib wiring
+        run: python scripts/contrib_packages.py verify
+
+      - name: Compute contrib matrix
+        id: contrib_matrix
+        run: |
+          {
+            echo "matrix<<EOF"
+            python scripts/contrib_packages.py matrix
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
       - name: Python Semantic Release
-        id: release
+        id: semantic_release
         uses: python-semantic-release/python-semantic-release@v10.5.3
         with:
           git_committer_name: galileo-automation
@@ -37,54 +53,135 @@ jobs:
           root_options: "-vv"
 
       - name: Build Packages
-        if: steps.release.outputs.released == 'true'
+        if: steps.semantic_release.outputs.released == 'true'
         run: |
           uv sync
           uv run python scripts/build.py all
 
-      # Publish in dependency order: models -> evaluators -> sdk -> evaluator-galileo
+      - name: Upload built distributions
+        if: steps.semantic_release.outputs.released == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-dists
+          if-no-files-found: error
+          path: |
+            models/dist/*
+            evaluators/builtin/dist/*
+            sdks/python/dist/*
+            server/dist/*
+            evaluators/contrib/*/dist/*
+
+  publish-models:
+    runs-on: ubuntu-latest
+    needs: release
+    if: needs.release.outputs.released == 'true'
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: .
+
       - name: Publish agent-control-models to PyPI
-        if: steps.release.outputs.released == 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: models/dist/
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
 
+  publish-evaluators:
+    runs-on: ubuntu-latest
+    needs: [release, publish-models]
+    if: needs.release.outputs.released == 'true'
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: .
+
       - name: Publish agent-control-evaluators to PyPI
-        if: steps.release.outputs.released == 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: evaluators/builtin/dist/
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
 
-      - name: Publish agent-control-sdk to PyPI
-        if: steps.release.outputs.released == 'true'
+  publish-contrib:
+    runs-on: ubuntu-latest
+    needs: [release, publish-evaluators]
+    if: needs.release.outputs.released == 'true'
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        contrib: ${{ fromJSON(needs.release.outputs.contrib_matrix) }}
+
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: .
+
+      - name: Publish ${{ matrix.contrib.package }} to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          packages-dir: sdks/python/dist/
+          packages-dir: ${{ matrix.contrib.dir }}/dist/
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
 
-      - name: Publish agent-control-evaluator-galileo to PyPI
-        if: steps.release.outputs.released == 'true'
+  publish-sdk:
+    runs-on: ubuntu-latest
+    needs: [release, publish-contrib]
+    if: needs.release.outputs.released == 'true'
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: .
+
+      - name: Publish agent-control-sdk to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          packages-dir: evaluators/contrib/galileo/dist/
+          packages-dir: sdks/python/dist/
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
 
+  upload-release-assets:
+    runs-on: ubuntu-latest
+    needs: [release, publish-sdk]
+    if: needs.release.outputs.released == 'true'
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download built distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: .
+
       - name: Upload to GitHub Release
-        if: steps.release.outputs.released == 'true'
         uses: python-semantic-release/upload-to-gh-release@main
         with:
           github_token: ${{ secrets.GALILEO_AUTOMATION_GITHUB_TOKEN || github.token }}
-          tag: ${{ steps.release.outputs.tag }}
+          tag: ${{ needs.release.outputs.tag }}
           root_options: "-vv"
           dist_glob: |
             models/dist/*
             evaluators/builtin/dist/*
             sdks/python/dist/*
             server/dist/*
-            evaluators/contrib/galileo/dist/*
+            evaluators/contrib/*/dist/*

evaluators/builtin/pyproject.toml

@@ -7,7 +7,7 @@ requires-python = ">=3.12"
 license = { text = "Apache-2.0" }
 authors = [{ name = "Agent Control Team" }]
 dependencies = [
-    "agent-control-models",
+    "agent-control-models>=7.5.0",
     "pydantic>=2.12.4",
     "google-re2>=1.1",
     "jsonschema>=4.0.0",