Skip to content

Commit 4519bf9

Browse files
committed
Skill issue πŸ€·πŸ»β€β™‚οΈ
1 parent f83ec14 commit 4519bf9

2 files changed

Lines changed: 17 additions & 0 deletions

File tree

β€Ž.agents/skills/ci-cd/SKILL.mdβ€Ž

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -370,6 +370,15 @@ permissions:
370370
371371
No `PYPI_TOKEN` secret needed. The action exchanges the GitHub OIDC JWT for a short-lived PyPI token automatically.
372372

373+
**Each PyPI package Γ— workflow combination needs its own trusted publisher.** The CLI package (`smbcloud-cli`) is configured for `release-pypi.yml`, but the SDK package (`smbcloud-sdk-auth`) needs a separate trusted publisher pointing at `release-sdk-pypi.yml`. Configure it at `https://pypi.org/manage/project/<package>/settings/publishing/` with:
374+
375+
- Owner: `smbcloudXYZ`
376+
- Repository: `smbcloud-cli`
377+
- Workflow name: the exact `.yml` filename that publishes that package
378+
- Environment: leave blank
379+
380+
If the trusted publisher is missing, the publish step fails with `invalid-publisher: valid token, but no corresponding publisher`.
381+
373382
### npm β€” does NOT support trusted publishing natively
374383

375384
npm has no OIDC-based trusted publishing equivalent to PyPI. The `id-token: write` permission in the npm workflow is unused for auth.
@@ -705,6 +714,9 @@ After bumping, regenerate lockfiles with `cargo generate-lockfile` and `bundle l
705714
**Tagging a release on a feature branch instead of `development`**
706715
Always tag on `development` (the mainline branch). Tagging on a feature branch leaves `development` without the release commit, making git history confusing and future releases error-prone. Merge the feature branch into `development` first, then tag. If a tag was already placed on the wrong commit, move it with `git tag -f v<version>` and `git push origin v<version> --force`.
707716

717+
**"Re-run all jobs" on an old workflow run rebuilds from the old commit**
718+
GitHub Actions workflow re-runs always use the commit the run was originally dispatched with. If you moved a tag after the run was created, the re-run still checks out the old commit. Use "Re-run failed jobs" only when the code on that commit is correct and only an external issue (e.g. missing trusted publisher) caused the failure. If the code itself was fixed, dispatch a fresh run instead: `gh workflow run <workflow>.yml -f tag=v<version>`.
719+
708720
**Building the full workspace in release workflows**
709721
Always pass `--package smbcloud-cli` to `cargo build` and `cargo publish`. Omitting it builds `smbcloud-auth-sdk-py` (PyO3 cdylib) which fails on platforms without a matching Python interpreter.
710722

β€Ž.agents/skills/smbcloud-cli-release/SKILL.mdβ€Ž

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,11 @@ Use these files as the release source of truth:
2929
- npm wrapper launcher: `npm/smbcloud-cli/src/index.ts`
3030
- PyPI package metadata: `pypi/pyproject.toml`
3131
- PyPI package README: `pypi/README.md`
32+
- SDK PyPI package metadata: `sdk/python/pyproject.toml`
33+
- SDK Ruby gem auth version: `sdk/gems/auth/lib/auth/version.rb`
34+
- SDK Ruby gem auth native extension: `sdk/gems/auth/ext/auth/Cargo.toml`
35+
- SDK Ruby gem model version: `sdk/gems/model/lib/model/version.rb`
36+
- SDK Ruby gem model native extension: `sdk/gems/model/ext/model/Cargo.toml`
3237

3338
## Version sync rules
3439

0 commit comments

Comments
Β (0)