launchdarkly · edwinokonkwo · Dec 18, 2025 · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025
@@ -1,5 +1,5 @@
 name: Build Documentation
-description: 'Build Documentation.'
+description: 'Build Documentation for a package'
 
 runs:
   using: composite

@@ -1,5 +1,9 @@
 name: Build distribution files
-description: 'Build distribution files'
+description: 'Build distribution files for a package'
+inputs:
+  workspace_path:
+    description: 'Path to the package to build.'
+    required: true
 outputs:
   package-hashes:
     description: "base64-encoded sha256 hashes of distribution files"
@@ -10,10 +14,11 @@ runs:
   steps:
     - name: Build distribution files
       shell: bash
-      run: poetry build
+      run: make -C ${{ inputs.workspace_path }} build
+
     - name: Hash build files for provenance
       id: package-hashes
       shell: bash
-      working-directory: ./dist
+      working-directory: ${{ inputs.workspace_path }}/dist
       run: |
         echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
@@ -0,0 +1,34 @@
+name: Shared CI Workflow
+description: 'Build, lint, and test a package'
+inputs:
+  workspace_path:
+    description: 'Path to the package to build/test.'
+    required: true
+  python_version:
+    description: 'Python version to use'
+    required: false
+    default: '3.11'
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python ${{ inputs.python_version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python_version }}
+
+    - name: Install poetry
+      uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+    - name: Install Dependencies
+      shell: bash
+      working-directory: ${{ inputs.workspace_path }}
+      run: poetry install
+
+    - name: Lint
+      shell: bash
+      run: make -C ${{ inputs.workspace_path }} lint
+
+    - name: Test
+      shell: bash
+      run: make -C ${{ inputs.workspace_path }} test
@@ -11,35 +11,28 @@ on:
       - '**.md'
 
 jobs:
-  linux:
+  server-ai-linux:
     runs-on: ubuntu-latest
-
     strategy:
       matrix:
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
 
-      - name: Install poetry
-        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+      - uses: ./.github/actions/ci
+        with:
+          workspace_path: packages/sdk/server-ai
+          python_version: ${{ matrix.python-version }}
 
       - uses: ./.github/actions/build
-      - uses: ./.github/actions/build-docs
-
-      - name: Run tests
-        run: make test
+        with:
+          workspace_path: packages/sdk/server-ai
 
-      - name: Verify typehints
-        run: make lint
+      - uses: ./.github/actions/build-docs
 
-  windows:
+  server-ai-windows:
     runs-on: windows-latest
-
     defaults:
       run:
         shell: powershell
@@ -50,6 +43,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -59,7 +53,8 @@ jobs:
         uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
 
       - name: Install requirements
+        working-directory: packages/sdk/server-ai
         run: poetry install
 
       - name: Run tests
-        run: make test
+        run: make -C packages/sdk/server-ai test
@@ -1,67 +1,200 @@
-name: Run Release Please
+# This workflow handles both automated and manual package publishing:
+#
+# AUTOMATED PUBLISHING (on push to main):
+#   - Triggered automatically when changes are pushed to the main branch
+#   - Uses release-please to create releases based on conventional commits
+#   - Publishes packages to PyPI automatically when release PRs are merged
+#
+# MANUAL PUBLISHING (via workflow_dispatch):
+#   - Can be triggered manually from the Actions tab
+#   - Allows publishing a specific package to PyPI
+#   - Supports dry-run mode
+#
+name: release-please
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      workspace_path:
+        description: 'The workspace to publish'
+        required: true
+        default: 'packages/sdk/server-ai'
+        type: choice
+        options:
+          - packages/sdk/server-ai
+          - packages/ai-providers/server-ai-langchain
+      dry_run:
+        description: 'Is this a dry run. If so no package will be published.'
+        type: boolean
+        required: true
 
 jobs:
-  release-package:
+  release-please:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # Needed if using OIDC to get release secrets.
-      contents: write # Contents and pull-requests are for release-please to make releases.
-      pull-requests: write
+      contents: write # Needed for release-please to create releases.
+      pull-requests: write # Needed for release-please to create/update PRs.
+    if: github.event_name == 'push'
     outputs:
-      release-created: ${{ steps.release.outputs.release_created }}
-      upload-tag-name: ${{ steps.release.outputs.tag_name }}
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
+      package-server-ai-released: ${{ steps.release.outputs['packages/sdk/server-ai--release_created'] }}
+      package-server-ai-tag-name: ${{ steps.release.outputs['packages/sdk/server-ai--tag_name'] }}
+      package-server-ai-langchain-released: ${{ steps.release.outputs['packages/ai-providers/server-ai-langchain--release_created'] }}
+      package-server-ai-langchain-tag-name: ${{ steps.release.outputs['packages/ai-providers/server-ai-langchain--tag_name'] }}
     steps:
       - uses: googleapis/release-please-action@v4
         id: release
 
+  release-server-ai:
+    runs-on: ubuntu-latest
+    needs: ['release-please']
+    permissions:
+      id-token: write # Needed for OIDC to get release secrets from AWS.
+    if: ${{ needs.release-please.outputs.package-server-ai-released == 'true' }}
+    outputs:
+      package-hashes: ${{ steps.build.outputs.package-hashes }}
+    steps:
       - uses: actions/checkout@v4
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
-          fetch-depth: 0 # If you only need the current version keep this.
+          fetch-depth: 0
 
       - uses: actions/setup-python@v5
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
-          python-version: 3.9
+          python-version: '3.11'
 
       - name: Install poetry
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
 
+      - uses: ./.github/actions/ci
+        with:
+          workspace_path: packages/sdk/server-ai
+
+      - uses: ./.github/actions/build
+        id: build
+        with:
+          workspace_path: packages/sdk/server-ai
+
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         name: 'Get PyPI token'
         with:
           aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
           ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ env.PYPI_AUTH_TOKEN }}
+          packages-dir: packages/sdk/server-ai/dist/
+
+  release-server-ai-langchain:
+    runs-on: ubuntu-latest
+    needs: ['release-please']
+    permissions:
+      id-token: write # Needed for OIDC to get release secrets from AWS.
+    if: ${{ needs.release-please.outputs.package-server-ai-langchain-released == 'true' }}
+    outputs:
+      package-hashes: ${{ steps.build.outputs.package-hashes }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install poetry
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - uses: ./.github/actions/ci
+        with:
+          workspace_path: packages/ai-providers/server-ai-langchain
+
       - uses: ./.github/actions/build
         id: build
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        with:
+          workspace_path: packages/ai-providers/server-ai-langchain
 
-      - uses: ./.github/actions/build-docs
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
+      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
+        name: 'Get PyPI token'
+        with:
+          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
+          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
-      - name: Publish package distributions to PyPI
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Publish to PyPI
+        # Pin the action to a full 40-character commit SHA for security.
+        # Release v1 commit SHA as of 2024-06-14:
+        # https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13
+        # Commit SHA: 19af04270e8d898ea07a523bb392fa7fe98df87c
+        uses: pypa/gh-action-pypi-publish@19af04270e8d898ea07a523bb392fa7fe98df87c
+        with:
+          password: ${{ env.PYPI_AUTH_TOKEN }}
+          packages-dir: packages/ai-providers/server-ai-langchain/dist/
+
+  manual-publish:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    permissions:
+      id-token: write # Needed for OIDC to get release secrets from AWS.
+      contents: read # Needed for actions/checkout.
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install poetry
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - uses: ./.github/actions/ci
+        with:
+          workspace_path: ${{ inputs.workspace_path }}
+
+      - uses: ./.github/actions/build
+        id: build
+        with:
+          workspace_path: ${{ inputs.workspace_path }}
+
+      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
+        if: ${{ inputs.dry_run != true }}
+        name: 'Get PyPI token'
+        with:
+          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
+          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
+
+      - name: Publish to PyPI
+        if: ${{ inputs.dry_run != true }}
+        # https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13 - pinned to commit on 2024-04-13
+        uses: pypa/gh-action-pypi-publish@3cc2c35166dfc1e5ea3bb0491ffdeedcaa50d7c
         with:
-          password: ${{env.PYPI_AUTH_TOKEN}}
+          password: ${{ env.PYPI_AUTH_TOKEN }}
+          packages-dir: ${{ inputs.workspace_path }}/dist/
+
+  release-server-ai-provenance:
+    needs: ['release-please', 'release-server-ai']
+    if: ${{ needs.release-please.outputs.package-server-ai-released == 'true' }}
+    permissions:
+      actions: read # Needed for detecting the GitHub Actions environment.
+      id-token: write # Needed for provenance signing.
+      contents: write # Needed for uploading assets to the release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.release-server-ai.outputs.package-hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-tag-name }}
 
-  release-provenance:
-    needs: [ 'release-package' ]
-    if: ${{ needs.release-package.outputs.release-created == 'true' }}
+  release-server-ai-langchain-provenance:
+    needs: ['release-please', 'release-server-ai-langchain']
+    if: ${{ needs.release-please.outputs.package-server-ai-langchain-released == 'true' }}
     permissions:
-      actions: read
-      id-token: write
-      contents: write
+      actions: read # Needed for detecting the GitHub Actions environment.
+      id-token: write # Needed for provenance signing.
+      contents: write # Needed for uploading assets to the release.
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
     with:
-      base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
+      base64-subjects: "${{ needs.release-server-ai-langchain.outputs.package-hashes }}"
       upload-assets: true
-      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
+      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-langchain-tag-name }}
@@ -1,3 +1,4 @@
 {
-  ".": "0.10.1"
+  "packages/sdk/server-ai": "0.10.1",
+  "packages/ai-providers/server-ai-langchain": "0.1.0"
 }