ci(workflows): add PyPI publishing workflow with manual approval #1428
Conversation
Add publish-pypi-approval.yml workflow that triggers after successful builds on version tags. Includes manual approval gate, version validation, PyPI publishing via trusted publishing, draft GitHub release creation, and installation verification.
There was a problem hiding this comment.
Pull Request Overview
This PR adds a PyPI publishing workflow that triggers automatically after successful builds on version tags, with manual approval gates for production deployment. The workflow validates versions, publishes to PyPI using trusted publishing, creates draft GitHub releases, and verifies successful publication.
Key changes:
- Automated PyPI publishing triggered by successful build workflows on version tags
- Manual approval environment gate for production deployments
- Post-publish verification testing across Python versions
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.10", "3.13"] |
There was a problem hiding this comment.
Do we need all the versions in-between as well (3.11, 3.12)?
There was a problem hiding this comment.
not really, even one is ok. I am thinking maybe we are better of dropping this last test entirely.
|
|
||
| - name: Wait for PyPI to process package | ||
| run: | | ||
| echo "Waiting 120 seconds for PyPI to process the package..." |
There was a problem hiding this comment.
Do you have any data on how long this normally takes?
There was a problem hiding this comment.
From my limited observation, PyPI seems to process in under 10s, but we use a longer wait to be safe. We can adjust later if needed.
| pip install --upgrade pip | ||
| pip install "nemoguardrails==${{ steps.version.outputs.version }}" --no-cache-dir | ||
|
|
||
| - name: Start server in the background |
There was a problem hiding this comment.
What's the purpose of this? Is it to validate the artifact we're about to upload to PyPI ?
There was a problem hiding this comment.
It tests the published version (what was just published). we actually do similar test in test-and-build-wheel workflow, I expect it to pass most of the time. We might remove it later.
|
@tgasser-nv we will see how it works in prod. Testing it is not possible. We could try test.pypi.org but to simulate the complete scenario wouldn't be worth the effort. we can merge and see how it works in action. What do you think? |
Add publish-pypi-approval.yml workflow that triggers after successful builds on version tags. Includes manual approval gate, version validation, PyPI publishing via trusted publishing, draft GitHub release creation, and installation verification.