From 604ea58f53d27adb55efc0e2a697f8d85d884ba5 Mon Sep 17 00:00:00 2001 From: Catarina Paralta Date: Fri, 9 Jan 2026 13:54:22 +0000 Subject: [PATCH 1/2] chore: remove NODE_AUTH_TOKEN from SDK release tasks and update workflow permissions Signed-off-by: Catarina Paralta --- .github/workflows/ci.yaml | 1 - .github/workflows/reusable-release-sdk.yaml | 8 +++----- .github/workflows/reusable-release.yaml | 4 ---- Taskfile.yml | 3 --- sdk/dir-js/.npmrc | 1 - 5 files changed, 3 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 94abf5e45..4923361c9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -143,7 +143,6 @@ jobs: release_tag: ${{ github.ref_name }} secrets: PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} - NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }} integration: name: Run integration tests diff --git a/.github/workflows/reusable-release-sdk.yaml b/.github/workflows/reusable-release-sdk.yaml index 25b5f88fd..7876f586e 100644 --- a/.github/workflows/reusable-release-sdk.yaml +++ b/.github/workflows/reusable-release-sdk.yaml @@ -32,9 +32,6 @@ on: PYPI_API_TOKEN: description: "PyPI API token for publishing Python SDK" required: true - NPMJS_TOKEN: - description: "NPM.js token for publishing JavaScript SDK" - required: true permissions: contents: read @@ -73,6 +70,9 @@ jobs: name: JavaScript if: ${{ inputs.javascript-release == true || inputs.javascript-release == 'true' }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # Required for npm OIDC trusted publishing steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -101,7 +101,5 @@ jobs: task sdk:build:javascript - name: Publish the Javascript SDK - env: - NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }} run: | task sdk:release:javascript diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index eff5e4e2a..744d06732 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -18,9 +18,6 @@ on: PYPI_API_TOKEN: description: "PyPI API token for publishing Python SDK" required: true - NPMJS_TOKEN: - description: "NPM.js token for publishing JavaScript SDK" - required: true jobs: image: @@ -77,7 +74,6 @@ jobs: python-release: true secrets: PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} - NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }} release: name: Release diff --git a/Taskfile.yml b/Taskfile.yml index a371cc8a0..fae9a4f5a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -417,7 +417,6 @@ tasks: desc: Release all client SDK package env: UV_PUBLISH_TOKEN: "{{ .UV_PUBLISH_TOKEN }}" - NODE_AUTH_TOKEN: "{{ .NODE_AUTH_TOKEN }}" cmds: - task: sdk:release:javascript - task: sdk:release:python @@ -437,8 +436,6 @@ tasks: ignore_error: true # FIXME: Need to check if package version already exists desc: Release javascript client SDK package dir: ./sdk/dir-js - env: - NODE_AUTH_TOKEN: "{{ .NODE_AUTH_TOKEN }}" cmd: | version=$(npm pkg get version) diff --git a/sdk/dir-js/.npmrc b/sdk/dir-js/.npmrc index 3bd5c96a6..9378daca3 100644 --- a/sdk/dir-js/.npmrc +++ b/sdk/dir-js/.npmrc @@ -1,3 +1,2 @@ -//registry.npmjs.org/:_auth=$NODE_AUTH_TOKEN @agntcy:registry=https://registry.npmjs.org/ @buf:registry=https://buf.build/gen/npm/v1/ From 77c0cc641015fbb58474ef65ae883e9a45564598 Mon Sep 17 00:00:00 2001 From: Catarina Paralta Date: Fri, 9 Jan 2026 14:14:29 +0000 Subject: [PATCH 2/2] docs: update RELEASE.md to include manual SDK package publishing steps and clean up workflow configurations Signed-off-by: Catarina Paralta --- .github/workflows/ci.yaml | 2 -- .github/workflows/reusable-release-sdk.yaml | 24 +++------------------ .github/workflows/reusable-release.yaml | 14 ------------ RELEASE.md | 18 +++++++++++++++- Taskfile.yml | 2 -- 5 files changed, 20 insertions(+), 40 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4923361c9..531482173 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -141,8 +141,6 @@ jobs: with: image_repo: ghcr.io/agntcy release_tag: ${{ github.ref_name }} - secrets: - PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} integration: name: Run integration tests diff --git a/.github/workflows/reusable-release-sdk.yaml b/.github/workflows/reusable-release-sdk.yaml index 7876f586e..35d56ef63 100644 --- a/.github/workflows/reusable-release-sdk.yaml +++ b/.github/workflows/reusable-release-sdk.yaml @@ -16,30 +16,15 @@ on: type: boolean description: "Make a python SDK release." default: false - workflow_call: - inputs: - javascript-release: - required: false - type: boolean - description: "Make a javascript SDK release." - default: false - python-release: - required: false - type: boolean - description: "Make a python SDK release." - default: false - secrets: - PYPI_API_TOKEN: - description: "PyPI API token for publishing Python SDK" - required: true permissions: contents: read + id-token: write # Required for npm OIDC trusted publishing jobs: python: name: Python - if: ${{ inputs.python-release == true || inputs.python-release == 'true' }} + if: ${{ inputs.python-release }} runs-on: ubuntu-latest steps: - name: Checkout code @@ -68,11 +53,8 @@ jobs: javascript: name: JavaScript - if: ${{ inputs.javascript-release == true || inputs.javascript-release == 'true' }} + if: ${{ inputs.javascript-release }} runs-on: ubuntu-latest - permissions: - contents: read - id-token: write # Required for npm OIDC trusted publishing steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index 744d06732..ffd69544c 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -14,10 +14,6 @@ on: required: true type: string description: "Release tag for all components." - secrets: - PYPI_API_TOKEN: - description: "PyPI API token for publishing Python SDK" - required: true jobs: image: @@ -66,22 +62,12 @@ jobs: path: bin if-no-files-found: error - sdk: - name: SDK - uses: ./.github/workflows/reusable-release-sdk.yaml - with: - javascript-release: true - python-release: true - secrets: - PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} - release: name: Release needs: - image - chart - cli - - sdk runs-on: ubuntu-latest outputs: upload_url: ${{ steps.create_release.outputs.upload_url }} diff --git a/RELEASE.md b/RELEASE.md index 5b1b24fe2..6e5def0f4 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -31,7 +31,23 @@ git push origin v1.0.0 Please note that the release tag is not necessarily associated with the "release: prepare version v1.0.0" commit. For example, if any bug fixes were required after this commit, they can be merged and included in the release. -## 3. Publish release +## 3. Publish SDK packages (Manual) + +SDK packages (JavaScript and Python) are **not** automatically published during the release workflow. Before publishing the GitHub release, you must manually trigger the SDK release workflow. + +1. Navigate to [Actions > Release SDK](https://github.com/agntcy/dir/actions/workflows/reusable-release-sdk.yaml) + +2. Click **Run workflow** + +3. In the **Use workflow from** dropdown, select the release tag (e.g., `v1.0.0`) + +4. Select the options: + - **Make a javascript SDK release**: Check to publish to npm + - **Make a python SDK release**: Check to publish to PyPI + +5. Click **Run workflow** to start the release + +## 4. Publish release * Wait until the release workflow is completed successfully. diff --git a/Taskfile.yml b/Taskfile.yml index fae9a4f5a..b10118d65 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -422,7 +422,6 @@ tasks: - task: sdk:release:python sdk:release:python: - ignore_error: true # FIXME: Need to check if package version already exists desc: Release python client SDK package dir: ./sdk/dir-py env: @@ -433,7 +432,6 @@ tasks: - "{{.UV_BIN}} publish" sdk:release:javascript: - ignore_error: true # FIXME: Need to check if package version already exists desc: Release javascript client SDK package dir: ./sdk/dir-js cmd: |