Skip to content

feat(ci): add Test PyPI release workflow for splunk-ao#44

Open
adityamehra wants to merge 3 commits into
mainfrom
feat/release-splunk-ao-test-pypi-v2
Open

feat(ci): add Test PyPI release workflow for splunk-ao#44
adityamehra wants to merge 3 commits into
mainfrom
feat/release-splunk-ao-test-pypi-v2

Conversation

@adityamehra

Copy link
Copy Markdown
Member

Summary

  • Adds .github/workflows/release-splunk-ao-test.yaml — a workflow_dispatch pipeline that builds and publishes the splunk-ao package to Test PyPI
  • Uses PyPI Trusted Publisher (OIDC) — no stored API token needed
  • Matches the pending Trusted Publisher already configured on test.pypi.org (workflow: release-splunk-ao-test.yaml, environment: testpypi)

How it works

  1. Trigger manually from the Actions tab with an optional version override
  2. If a version is supplied, it patches pyproject.toml and src/splunk_ao/__init__.py locally (no commit back to the branch)
  3. Builds the package with Poetry 2.4.1
  4. Publishes to Test PyPI via OIDC

Test plan

Made with Cursor

adityamehra and others added 3 commits June 24, 2026 17:06
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

@fercor-cisco fercor-cisco left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 This review was generated by the Astra agent (claude-opus-4-8). It may contain mistakes.

Verdict: needs_discussion — Workflow publishes to Test PyPI on every PR push via an undocumented pull_request trigger that contradicts the PR description's "manual workflow_dispatch" framing; intent and security surface need confirmation.

General Comments

  • 🟠 major (design): The PR description says this is "a workflow_dispatch pipeline" and instructs reviewers to "Trigger manually from the Actions tab." It does not mention the pull_request: trigger, which is the most consequential part of the file: it publishes a .dev<run_number> release to Test PyPI on every PR push (opened/synchronize/reopened), for every PR in the repo — including this one. That is a meaningful scope/behavior change that isn't described anywhere in the summary. Please confirm this is intended, and update the description accordingly. If auto-publishing on PRs is desired, consider scoping it (e.g. branches, paths, or a label gate) so unrelated/docs-only PRs don't each mint a Test PyPI release.

Follow-ups

Suggested follow-up work that could be tracked as Shortcut stories:

  • .github/workflows/release-splunk-ao-test.yaml:31-46: The sed for __version__ and the poetry version call are duplicated across the 'Set pre-release version' and 'Override version' steps. If more version-bump logic is added later, consider extracting a small reusable script/step to keep the two paths in sync and ensure pyproject.toml and src/splunk_ao/__init__.py never drift.

name: Release splunk-ao to Test PyPI

on:
pull_request: # Publishes a .dev pre-release on every PR push

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 major (security): Publishing to Test PyPI on the pull_request event needs a security review. pull_request runs on PRs from forks as well; while GitHub withholds repo secrets and constrains the id-token for fork PRs (so the OIDC publish should fail rather than succeed for a fork), you are still running poetry build on untrusted PR code and then feeding its artifact into a publish job wired to a trusted-publisher environment. Please confirm: (1) whether fork PRs are expected/allowed to reach the publish job at all, and (2) whether the testpypi environment's protection rules (branch restrictions / required reviewers) actually block unwanted publishes. Safer options: gate the publish job with if: github.event.pull_request.head.repo.full_name == github.repository (skip forks), or restrict the trigger to internal branches.

🤖 Generated by Astra

Comment on lines +3 to +10
on:
pull_request: # Publishes a .dev pre-release on every PR push
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 minor (bug): No concurrency group is defined and the dev version is derived from github.run_number. Re-running a previous workflow run reuses the same run_number, producing the same X.Y.Z.dev<n> version; pypa/gh-action-pypi-publish errors on an already-existing version by default, so a re-run will fail at the publish step. Consider adding a concurrency group (cancel-in-progress for PR builds) and/or setting skip-existing: true on the publish step to make re-runs idempotent.

Suggested change
on:
pull_request: # Publishes a .dev pre-release on every PR push
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string
on:
pull_request: # Publishes a .dev pre-release on every PR push
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 1.2.3, 2.0.0b1). Leave empty to use the version in pyproject.toml as-is.'
required: false
type: string
concurrency:
group: release-test-pypi-${{ github.ref }}
cancel-in-progress: true

🤖 Generated by Astra

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants