ci: use PYPI_TOKEN for publishing and fix infinite generate loop (#160)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: aaronsteers

.github/workflows/generate-command.yml

@@ -5,7 +5,7 @@
 #
 # Triggers:
 # - On push to main: Auto-generates after every merge to ensure SDK stays up-to-date (auto-merge enabled)
-# - Daily schedule (6 AM UTC): Catches upstream API spec changes (auto-merge enabled)
+# - Daily schedule (5 AM & 5 PM America/Los_Angeles): Catches upstream API spec changes (auto-merge enabled)
 # - Manual workflow_dispatch: For on-demand generation
 # - Slash command (/generate): Regenerates and pushes results back to the PR branch
 # - workflow_call: For validation from other workflows (e.g., PR checks)
@@ -30,7 +30,10 @@ name: Generate SDK
         branches:
             - main
     schedule:
-        - cron: '0 6 * * *'
+        - cron: '0 5 * * *'
+          timezone: America/Los_Angeles
+        - cron: '0 17 * * *'
+          timezone: America/Los_Angeles
     workflow_dispatch:
         inputs:
             dry_run:
@@ -203,6 +206,9 @@ jobs:
               if: ${{ !inputs.dry_run }}
               id: changes
               run: |
+                  # Restore workflow.lock to HEAD to ignore non-deterministic
+                  # digest changes that cause infinite generate→merge loops.
+                  git checkout HEAD -- .speakeasy/workflow.lock 2>/dev/null || true
                   if [ -n "$(git status --porcelain)" ]; then
                       echo "has_changes=true" >> $GITHUB_OUTPUT
                   else

.github/workflows/pre-release-command.yml

@@ -53,13 +53,9 @@ jobs:
   pre_release:
     name: Build & Publish Pre-Release
     runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://pypi.org/project/airbyte-api/
     permissions:
       contents: write
       pull-requests: write
-      id-token: write
     steps:
       # ── Slash command: post starting comment ────────────────────────
       - name: Authenticate as GitHub App
@@ -129,7 +125,9 @@ jobs:
         run: uv build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        run: uv publish
+        env:
+          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
       # ── Tag the commit ──────────────────────────────────────────────
       - name: Create and push tag

.github/workflows/publish.yml

@@ -1,15 +1,10 @@
 # PyPI Publish Workflow
 #
 # Triggered when a GitHub Release is published (draft → published).
-# Builds the Python package and uploads it to PyPI using OIDC trusted publishing.
+# Builds the Python package and uploads it to PyPI using PYPI_TOKEN.
 #
 # Prerequisites:
-# - PyPI trusted publisher configured for this repository:
-#   https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
-#   Owner: airbytehq
-#   Repository: airbyte-api-python-sdk
-#   Workflow: publish.yml
-#   Environment: pypi
+# - PYPI_TOKEN secret configured in the repository
 
 name: Publish to PyPI
 
@@ -24,11 +19,6 @@ jobs:
   publish:
     name: Build & Publish to PyPI
     runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://pypi.org/project/airbyte-api/
-    permissions:
-      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -42,4 +32,6 @@ jobs:
         run: uv build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        run: uv publish
+        env:
+          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }}