fix(publish): unblock 0.21.0 PyPI release; make publishes idempotent (#38)

Two issues kept past releases (and 0.21.0) from auto-publishing PyPI:

  1. clients/python/src/tangle_agent_eval/__init__.py carried a hardcoded
     `__version__` fallback that drifts every release. The verify step in
     publish.yml compares it against package.json and exits with
     "Version mismatch: npm=X python_runtime=Y" before either publish runs.

  2. publish-pypi declared `needs: [verify, publish-npm]`. After a tag
     re-fire (manual publish, workflow re-run, or a fresh tag on the same
     commit), publish-npm trips over "version already on registry" and
     blocks PyPI. Coupling these stages was the wrong primitive — PyPI is
     not downstream of npm; they're parallel artifacts of the same release.

Fix:

  - Bump the Python runtime fallback to 0.21.0. Pre-commit, this matched
    pyproject.toml; releasing requires bumping it too. (A future cleanup
    is to derive __version__ from pyproject.toml at build time so the
    drift can't happen — out of scope here.)
  - publish-npm now skips with a log message when the version is already on
    the registry, instead of failing.
  - publish-pypi gates on `verify` only, and pre-checks PyPI for the
    version before invoking the trusted-publish action — idempotent on
    re-fires.

After this lands, deleting + force-re-pushing v0.21.0 will fire the
workflow and publish the PyPI sdist + wheel that 0.21.0 needs to match
the already-published @tangle-network/agent-eval@0.21.0 on npm.

Author: drewstone

.github/workflows/publish.yml

@@ -100,12 +100,27 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
       - run: pnpm build
-      - run: pnpm publish --no-git-checks --access public
+
+      # Idempotent: re-running a tag whose npm version is already published
+      # (e.g. after a manual `pnpm publish` plus a workflow rerun) must not
+      # block the downstream PyPI step.
+      - name: Publish to npm (skip if already published)
+        run: |
+          NAME=$(node -p "require('./package.json').name")
+          VERSION=$(node -p "require('./package.json').version")
+          if npm view "$NAME@$VERSION" version >/dev/null 2>&1; then
+            echo "$NAME@$VERSION already on registry; skipping publish"
+          else
+            pnpm publish --no-git-checks --access public
+          fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   publish-pypi:
-    needs: [verify, publish-npm]
+    # PyPI publish is independent of npm — both gate on `verify` so a version
+    # mismatch blocks both, but a re-run after a successful npm publish must
+    # still be able to push the matching PyPI artifact.
+    needs: verify
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     permissions:
@@ -125,7 +140,19 @@ jobs:
         working-directory: clients/python
         run: python -m build
 
+      - name: Check whether this version is already on PyPI
+        id: pypi-check
+        run: |
+          VERSION=$(grep -E '^version' clients/python/pyproject.toml | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+          if curl -sf "https://pypi.org/pypi/tangle-agent-eval/$VERSION/json" >/dev/null; then
+            echo "tangle-agent-eval==$VERSION already on PyPI; skipping publish"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Publish to PyPI (trusted publishing)
+        if: steps.pypi-check.outputs.skip != 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: clients/python/dist

clients/python/src/tangle_agent_eval/__init__.py

@@ -44,7 +44,7 @@
 try:
     __version__ = version("tangle-agent-eval")
 except PackageNotFoundError:
-    __version__ = "0.20.10"
+    __version__ = "0.21.0"
 
 __all__ = [
     "Client",