agent-eval/.github/workflows/publish.yml at main · tangle-network/agent-eval · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Publish

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:

jobs:
  # Verify both packages build and pass tests, in lockstep.
  # If either fails, neither publishes.
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          registry-url: https://registry.npmjs.org

      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install JS deps
        run: pnpm install --frozen-lockfile

      - name: Typecheck JS
        run: pnpm typecheck

      - name: Test JS
        run: pnpm test

      - name: Build JS and emit OpenAPI spec
        run: pnpm build

      - name: Verify version lock between npm and PyPI packages
        run: |
          NPM_VERSION=$(node -p "require('./package.json').version")
          PY_VERSION=$(grep -E '^version' clients/python/pyproject.toml | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
          PY_RUNTIME_VERSION=$(python -c "import pathlib,re; text=pathlib.Path('clients/python/src/agent_eval_rpc/__init__.py').read_text(); match=re.search(r'__version__ = \"([^\"]+)\"', text); print(match.group(1) if match else '')")
          if [ "$NPM_VERSION" != "$PY_VERSION" ]; then
            echo "::error::Version mismatch: npm=$NPM_VERSION pypi=$PY_VERSION. Bump them together."
            exit 1
          fi
          if [ -n "$PY_RUNTIME_VERSION" ] && [ "$NPM_VERSION" != "$PY_RUNTIME_VERSION" ]; then
            echo "::error::Version mismatch: npm=$NPM_VERSION python_runtime=$PY_RUNTIME_VERSION. Bump them together."
            exit 1
          fi
          if [[ "${GITHUB_REF:-}" == refs/tags/v* ]]; then
            TAG_VERSION="${GITHUB_REF#refs/tags/v}"
            if [ "$TAG_VERSION" != "$NPM_VERSION" ]; then
              echo "::error::Tag/version mismatch: tag=$TAG_VERSION package=$NPM_VERSION."
              exit 1
            fi
          fi
          echo "Versions locked: $NPM_VERSION"

      - name: Install Python client
        working-directory: clients/python
        run: pip install -e ".[dev]"

      - name: Test Python client (incl. real subprocess integration)
        working-directory: clients/python
        run: pytest -v

      - name: Upload OpenAPI artifact
        uses: actions/upload-artifact@v4
        with:
          name: openapi
          path: dist/openapi.json

      - name: Upload Python build context
        uses: actions/upload-artifact@v4
        with:
          name: python-source
          path: clients/python

  publish-npm:
    needs: verify
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          registry-url: https://registry.npmjs.org

      - run: pnpm install --frozen-lockfile
      - run: pnpm build

      # Idempotent: re-running a tag whose npm version is already published
      # (e.g. after a manual `pnpm publish` plus a workflow rerun) must not
      # block the downstream PyPI step.
      - name: Publish to npm (skip if already published)
        run: |
          NAME=$(node -p "require('./package.json').name")
          VERSION=$(node -p "require('./package.json').version")
          if npm view "$NAME@$VERSION" version >/dev/null 2>&1; then
            echo "$NAME@$VERSION already on registry; skipping publish"
          else
            pnpm publish --no-git-checks --access public
          fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  publish-pypi:
    # PyPI publish is independent of npm — both gate on `verify` so a version
    # mismatch blocks both, but a re-run after a successful npm publish must
    # still be able to push the matching PyPI artifact.
    needs: verify
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install build tools
        run: pip install build twine

      - name: Build wheel + sdist
        working-directory: clients/python
        run: python -m build

      - name: Check whether this version is already on PyPI
        id: pypi-check
        run: |
          VERSION=$(grep -E '^version' clients/python/pyproject.toml | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
          if curl -sf "https://pypi.org/pypi/agent-eval-rpc/$VERSION/json" >/dev/null; then
            echo "agent-eval-rpc==$VERSION already on PyPI; skipping publish"
            echo "skip=true" >> "$GITHUB_OUTPUT"
          else
            echo "skip=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Publish to PyPI (trusted publishing)
        if: steps.pypi-check.outputs.skip != 'true'
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          packages-dir: clients/python/dist