ci: Migrate release workflow to Trusted Publishing (#517)

birdcar · gjtorikian · web-flow · commit bf23a308a257 · 2026-01-21T15:41:38.000-05:00
* ci: Migrate release workflow to Trusted Publishing

- Replace Twine/token-based auth with PyPI Trusted Publishing
- Add smoke tests to verify wheel and sdist before publishing
- Run smoke tests against all supported Python versions (3.8-3.14)
- Use matrix strategy for parallel testing across versions
- Use uv publish for streamlined publishing

Workflow structure:
1. build: Create wheel and sdist artifacts
2. smoke-test: Test on Python 3.8-3.14 in parallel
3. publish: Upload to PyPI after all tests pass

Smoke tests verify:
- Package imports correctly
- Both sync/async clients instantiate
- All module properties accessible
- Core types and exceptions importable
- Dependencies properly bundled
- py.typed marker present

* chore: ignore unused import lint errors in smoke test

* ci: configure explicit Python version for smoke tests

Pass python-version to setup-uv action to ensure the correct
Python version is installed before running smoke tests. Enable
cache-python to speed up subsequent workflow runs.

* automate release flow

---------

Co-authored-by: Garen J. Torikian &lt;gjtorikian@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -39,3 +39,26 @@ jobs:
 
       - name: Test
         run: uv run pytest
+
+  smoke-test:
+    name: Smoke test (Python ${{ matrix.python }})
+    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'version-bump')
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: astral-sh/setup-uv@v7
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Build
+        run: uv build
+
+      - name: Smoke test (wheel)
+        run: uv run --isolated --no-project --with dist/*.whl tests/smoke_test.py
+
+      - name: Smoke test (sdist)
+        run: uv run --isolated --no-project --with dist/*.tar.gz tests/smoke_test.py
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,36 +1,61 @@
 name: Release
 
 on:
-  # Support manually pushing a new release
-  workflow_dispatch: {}
-  # Trigger when a release or pre-release is published
-  release:
-    types: [published]
+  pull_request:
+    types: [closed]
+    branches: [main]
 
 defaults:
   run:
     shell: bash
 
 jobs:
-  pypi:
+  create-release:
+    name: Create GitHub Release
+    if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'version-bump')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.WORKOS_BOT_APP_ID }}
+          private-key: ${{ secrets.WORKOS_BOT_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Get version from pyproject.toml
+        id: get-version
+        run: |
+          VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.get-version.outputs.version }}
+          name: v${{ steps.get-version.outputs.version }}
+          generate_release_notes: true
+          token: ${{ steps.generate-token.outputs.token }}
+
+  publish:
     name: Publish to PyPI
+    needs: create-release
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Install uv
         uses: astral-sh/setup-uv@v6
-      - name: Install dependencies
-        run: uv sync --locked
-      - name: Test
-        run: uv run pytest
       - name: Build
         run: uv build
       - name: Publish
-        env:
-          TWINE_NON_INTERACTIVE: true
-          TWINE_USERNAME: "__token__"
-          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
-        run: uvx twine upload dist/* --skip-existing
+        run: uv publish
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -0,0 +1,86 @@
+name: Version Bump
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump_type:
+        description: "Version bump type"
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.WORKOS_BOT_APP_ID }}
+          private-key: ${{ secrets.WORKOS_BOT_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "workos-bot[bot]"
+          git config user.email "workos-bot[bot]@users.noreply.github.com"
+
+      - name: Read current version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Bump version
+        id: bump-version
+        run: |
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
+
+          case "${{ github.event.inputs.bump_type }}" in
+            major)
+              NEW_VERSION="$((MAJOR + 1)).0.0"
+              ;;
+            minor)
+              NEW_VERSION="$MAJOR.$((MINOR + 1)).0"
+              ;;
+            patch)
+              NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+              ;;
+          esac
+
+          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Update version in pyproject.toml
+        run: |
+          sed -i 's/^version = ".*"/version = "${{ steps.bump-version.outputs.new_version }}"/' pyproject.toml
+
+      - name: Update uv.lock
+        run: uv lock
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          commit-message: "v${{ steps.bump-version.outputs.new_version }}"
+          title: "v${{ steps.bump-version.outputs.new_version }}"
+          body: |
+            Bumps version from ${{ steps.current-version.outputs.version }} to ${{ steps.bump-version.outputs.new_version }}.
+
+            This PR was automatically created by the version-bump workflow.
+          branch: version-bump-${{ steps.bump-version.outputs.new_version }}
+          labels: version-bump
diff --git a/tests/smoke_test.py b/tests/smoke_test.py
