feat(ci): add Test PyPI release workflow for splunk-ao#44
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
fercor-cisco
left a comment
There was a problem hiding this comment.
🤖 This review was generated by the Astra agent (claude-opus-4-8). It may contain mistakes.
Verdict: needs_discussion — Workflow publishes to Test PyPI on every PR push via an undocumented pull_request trigger that contradicts the PR description's "manual workflow_dispatch" framing; intent and security surface need confirmation.
General Comments
- 🟠 major (design): The PR description says this is "a
workflow_dispatchpipeline" and instructs reviewers to "Trigger manually from the Actions tab." It does not mention thepull_request:trigger, which is the most consequential part of the file: it publishes a.dev<run_number>release to Test PyPI on every PR push (opened/synchronize/reopened), for every PR in the repo — including this one. That is a meaningful scope/behavior change that isn't described anywhere in the summary. Please confirm this is intended, and update the description accordingly. If auto-publishing on PRs is desired, consider scoping it (e.g.branches,paths, or a label gate) so unrelated/docs-only PRs don't each mint a Test PyPI release.
Follow-ups
Suggested follow-up work that could be tracked as Shortcut stories:
.github/workflows/release-splunk-ao-test.yaml:31-46: Thesedfor__version__and thepoetry versioncall are duplicated across the 'Set pre-release version' and 'Override version' steps. If more version-bump logic is added later, consider extracting a small reusable script/step to keep the two paths in sync and ensurepyproject.tomlandsrc/splunk_ao/__init__.pynever drift.
| name: Release splunk-ao to Test PyPI | ||
|
|
||
| on: | ||
| pull_request: # Publishes a .dev pre-release on every PR push |
There was a problem hiding this comment.
🟠 major (security): Publishing to Test PyPI on the pull_request event needs a security review. pull_request runs on PRs from forks as well; while GitHub withholds repo secrets and constrains the id-token for fork PRs (so the OIDC publish should fail rather than succeed for a fork), you are still running poetry build on untrusted PR code and then feeding its artifact into a publish job wired to a trusted-publisher environment. Please confirm: (1) whether fork PRs are expected/allowed to reach the publish job at all, and (2) whether the testpypi environment's protection rules (branch restrictions / required reviewers) actually block unwanted publishes. Safer options: gate the publish job with if: github.event.pull_request.head.repo.full_name == github.repository (skip forks), or restrict the trigger to internal branches.
🤖 Generated by Astra
| on: | ||
| pull_request: # Publishes a .dev pre-release on every PR push | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.' | ||
| required: false | ||
| type: string |
There was a problem hiding this comment.
🟡 minor (bug): No concurrency group is defined and the dev version is derived from github.run_number. Re-running a previous workflow run reuses the same run_number, producing the same X.Y.Z.dev<n> version; pypa/gh-action-pypi-publish errors on an already-existing version by default, so a re-run will fail at the publish step. Consider adding a concurrency group (cancel-in-progress for PR builds) and/or setting skip-existing: true on the publish step to make re-runs idempotent.
| on: | |
| pull_request: # Publishes a .dev pre-release on every PR push | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.' | |
| required: false | |
| type: string | |
| on: | |
| pull_request: # Publishes a .dev pre-release on every PR push | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.' | |
| required: false | |
| type: string | |
| concurrency: | |
| group: release-test-pypi-${{ github.ref }} | |
| cancel-in-progress: true |
🤖 Generated by Astra
Summary
.github/workflows/release-splunk-ao-test.yaml— aworkflow_dispatchpipeline that builds and publishes thesplunk-aopackage to Test PyPIrelease-splunk-ao-test.yaml, environment:testpypi)How it works
pyproject.tomlandsrc/splunk_ao/__init__.pylocally (no commit back to the branch)Test plan
0.1.0b1Made with Cursor