ci: use PYPI_TOKEN for publishing and fix infinite generate loop#160
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Switch from PyPI OIDC trusted publishing to PYPI_TOKEN secret. OIDC requires PyPI Owner access to configure, which is currently blocked pending ownership transfer. PYPI_TOKEN was already configured in the repo from the v1 Speakeasy workflow. Co-Authored-By: AJ Steers <aj@airbyte.io>
- Restore workflow.lock to HEAD before checking for changes to avoid non-deterministic codeSamplesRevisionDigest diffs triggering endless generate→merge loops - Change schedule from daily 6am UTC to 5am & 5pm Pacific (12:00 & 00:00 UTC) Co-Authored-By: AJ Steers <aj@airbyte.io>
devin-ai-integration
Bot
force-pushed
the
devin/1782171512-pypi-token-publish
branch
from
c3a2fda to
fd1543f
Compare
devin-ai-integration
Bot
changed the title
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Aaron ("AJ") Steers (aaronsteers)
deleted the
devin/1782171512-pypi-token-publish
branch
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflows to publish the Python SDK to PyPI using a repository secret token (instead of OIDC trusted publishing), and adjusts the SDK generation workflow to avoid a non-deterministic lockfile change that can cause repeated auto-regen PRs.
Changes:
- Switch PyPI publishing in release + pre-release workflows from
pypa/gh-action-pypi-publish(OIDC) touv publishusingUV_PUBLISH_TOKENfromsecrets.PYPI_TOKEN. - Prevent infinite generate→merge loops by restoring
.speakeasy/workflow.locktoHEADbefore checking for diffs. - Update the generation schedule to run twice daily.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/publish.yml | Publish releases to PyPI via uv publish using PYPI_TOKEN-backed auth. |
| .github/workflows/pre-release-command.yml | Publish pre-releases to PyPI via uv publish using PYPI_TOKEN-backed auth. |
| .github/workflows/generate-command.yml | Avoids lockfile digest churn and updates the scheduled generation cadence. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| schedule: | ||
| - cron: '0 6 * * *' | ||
| - cron: '0 5 * * *' | ||
| timezone: America/Los_Angeles | ||
| - cron: '0 17 * * *' | ||
| timezone: America/Los_Angeles |
| # Triggers: | ||
| # - On push to main: Auto-generates after every merge to ensure SDK stays up-to-date (auto-merge enabled) | ||
| # - Daily schedule (6 AM UTC): Catches upstream API spec changes (auto-merge enabled) | ||
| # - Daily schedule (5 AM & 5 PM America/Los_Angeles): Catches upstream API spec changes (auto-merge enabled) |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
🚩 Removal of GitHub environment protection for PyPI publishing
Both publish.yml and pre-release-command.yml previously declared environment: name: pypi which may have had GitHub environment protection rules (e.g., required reviewers, deployment branch restrictions). The PR removes these environment blocks entirely as part of the OIDC→token migration. If the pypi environment had protection rules configured in the repository settings, those guardrails are now bypassed. This is likely intentional since token-based auth doesn't require environment-scoped OIDC, but worth confirming that no protection rules are being lost.
Was this helpful? React with 👍 or 👎 to provide feedback.
| - name: Publish to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| run: uv publish | ||
| env: | ||
| UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }} |
There was a problem hiding this comment.
🟡 CONTRIBUTING.md still references OIDC publishing after switch to PYPI_TOKEN
The PR changes both publish.yml and pre-release-command.yml from OIDC trusted publishing (pypa/gh-action-pypi-publish) to token-based publishing (uv publish with UV_PUBLISH_TOKEN), but CONTRIBUTING.md — a mandatory documentation file per AGENTS.md:25 — was not updated. It still says "published to PyPI via OIDC trusted publishing" at CONTRIBUTING.md:55 and "this triggers PyPI publication via OIDC" at CONTRIBUTING.md:78. Contributors and agents following this documentation will have an incorrect understanding of the publishing mechanism.
Prompt for agents
The PR changes the PyPI publishing mechanism from OIDC trusted publishing to token-based publishing using uv publish with PYPI_TOKEN. However, CONTRIBUTING.md was not updated to reflect this change. Two locations need to be fixed:
1. CONTRIBUTING.md line 55: Change "published to PyPI via OIDC trusted publishing" to "published to PyPI using a PYPI_TOKEN secret"
2. CONTRIBUTING.md line 78: Change "this triggers PyPI publication via OIDC" to "this triggers PyPI publication via PYPI_TOKEN"
The publish.yml header comment (line 4) was correctly updated to say "using PYPI_TOKEN" but the corresponding documentation file was missed.
Was this helpful? React with 👍 or 👎 to provide feedback.
Summary
Three changes:
PYPI_TOKEN for publishing: Switches
publish.ymlandpre-release-command.ymlfrom OIDC trusted publishing (pypa/gh-action-pypi-publish+id-token: write) touv publishwithUV_PUBLISH_TOKEN. OIDC requires PyPI Owner access to configure, which is blocked pending ownership transfer.Fix infinite generate→merge loop:
generate-command.ymlrestores.speakeasy/workflow.lockto HEAD before checking for changes. ThecodeSamplesRevisionDigestin this file is non-deterministic across runs, causing every generation to detect a diff, create a PR, auto-merge, and trigger another generation.Update schedule: Generation schedule changed from daily 6am UTC to 5am & 5pm Pacific (
0 12 * * *and0 0 * * *).Link to Devin session: https://app.devin.ai/sessions/854c664803f3400387fdaa02e123b888
Requested by: Aaron ("AJ") Steers (@aaronsteers)