Skip to content

ci: use PYPI_TOKEN for publishing and fix infinite generate loop #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Aaron ("AJ") Steers (aaronsteers) merged 4 commits into from
Jun 23, 2026
+16 −20
Merged

ci: use PYPI_TOKEN for publishing and fix infinite generate loop #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5822e5e
ci: use PYPI_TOKEN for publishing instead of OIDC trusted publisher
devin-ai-integration[bot] Jun 22, 2026
fd1543f
ci: fix infinite generate loop and update schedule to 5am/5pm Pacific
devin-ai-integration[bot] Jun 23, 2026
6f0ee09
ci: add timezone comments to cron schedule
devin-ai-integration[bot] Jun 23, 2026
2424c27
ci: use IANA timezone field for cron schedule
devin-ai-integration[bot] Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/generate-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
#
# Triggers:
# - On push to main: Auto-generates after every merge to ensure SDK stays up-to-date (auto-merge enabled)
# - Daily schedule (6 AM UTC): Catches upstream API spec changes (auto-merge enabled)
# - Daily schedule (5 AM & 5 PM America/Los_Angeles): Catches upstream API spec changes (auto-merge enabled)
# - Manual workflow_dispatch: For on-demand generation
# - Slash command (/generate): Regenerates and pushes results back to the PR branch
# - workflow_call: For validation from other workflows (e.g., PR checks)
Expand All @@ -30,7 +30,10 @@ name: Generate SDK
branches:
- main
schedule:
- cron: '0 6 * * *'
- cron: '0 5 * * *'
timezone: America/Los_Angeles
- cron: '0 17 * * *'
timezone: America/Los_Angeles
Comment on lines 32 to +36
workflow_dispatch:
inputs:
dry_run:
Expand Down Expand Up @@ -203,6 +206,9 @@ jobs:
if: ${{ !inputs.dry_run }}
id: changes
run: |
# Restore workflow.lock to HEAD to ignore non-deterministic
# digest changes that cause infinite generate→merge loops.
git checkout HEAD -- .speakeasy/workflow.lock 2>/dev/null || true
if [ -n "$(git status --porcelain)" ]; then
echo "has_changes=true" >> $GITHUB_OUTPUT
else
Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/pre-release-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,9 @@ jobs:
pre_release:
name: Build & Publish Pre-Release
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/project/airbyte-api/
permissions:
contents: write
pull-requests: write
id-token: write
steps:
# ── Slash command: post starting comment ────────────────────────
- name: Authenticate as GitHub App
Expand Down Expand Up @@ -129,7 +125,9 @@ jobs:
run: uv build

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
run: uv publish
env:
UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }}

# ── Tag the commit ──────────────────────────────────────────────
- name: Create and push tag
Expand Down
18 changes: 5 additions & 13 deletions .github/workflows/publish.yml
View file
Open in desktop

@devin-ai-integration devin-ai-integration Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Removal of GitHub environment protection for PyPI publishing

Both publish.yml and pre-release-command.yml previously declared environment: name: pypi which may have had GitHub environment protection rules (e.g., required reviewers, deployment branch restrictions). The PR removes these environment blocks entirely as part of the OIDC→token migration. If the pypi environment had protection rules configured in the repository settings, those guardrails are now bypassed. This is likely intentional since token-based auth doesn't require environment-scoped OIDC, but worth confirming that no protection rules are being lost.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Original file line number Diff line number Diff line change
@@ -1,15 +1,10 @@
# PyPI Publish Workflow
#
# Triggered when a GitHub Release is published (draft → published).
# Builds the Python package and uploads it to PyPI using OIDC trusted publishing.
# Builds the Python package and uploads it to PyPI using PYPI_TOKEN.
#
# Prerequisites:
# - PyPI trusted publisher configured for this repository:
# https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
# Owner: airbytehq
# Repository: airbyte-api-python-sdk
# Workflow: publish.yml
# Environment: pypi
# - PYPI_TOKEN secret configured in the repository

name: Publish to PyPI

Expand All @@ -24,11 +19,6 @@ jobs:
publish:
name: Build & Publish to PyPI
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/project/airbyte-api/
permissions:
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -42,4 +32,6 @@ jobs:
run: uv build

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
run: uv publish
env:
UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }}
Comment on lines 34 to +37

@devin-ai-integration devin-ai-integration Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 CONTRIBUTING.md still references OIDC publishing after switch to PYPI_TOKEN

The PR changes both publish.yml and pre-release-command.yml from OIDC trusted publishing (pypa/gh-action-pypi-publish) to token-based publishing (uv publish with UV_PUBLISH_TOKEN), but CONTRIBUTING.md — a mandatory documentation file per AGENTS.md:25 — was not updated. It still says "published to PyPI via OIDC trusted publishing" at CONTRIBUTING.md:55 and "this triggers PyPI publication via OIDC" at CONTRIBUTING.md:78. Contributors and agents following this documentation will have an incorrect understanding of the publishing mechanism.

Prompt for agents 
The PR changes the PyPI publishing mechanism from OIDC trusted publishing to token-based publishing using uv publish with PYPI_TOKEN. However, CONTRIBUTING.md was not updated to reflect this change. Two locations need to be fixed:

1. CONTRIBUTING.md line 55: Change "published to PyPI via OIDC trusted publishing" to "published to PyPI using a PYPI_TOKEN secret"
2. CONTRIBUTING.md line 78: Change "this triggers PyPI publication via OIDC" to "this triggers PyPI publication via PYPI_TOKEN"

The publish.yml header comment (line 4) was correctly updated to say "using PYPI_TOKEN" but the corresponding documentation file was missed.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Loading