ci(server): publish agent-control-server to PyPI#210
ci(server): publish agent-control-server to PyPI#210abhinav-galileo wants to merge 3 commits intomainfrom
Conversation
Adds a publish-server job to the release workflow so the server wheel (staged at release-dists/server/dist/) is pushed to PyPI alongside models, evaluators, and the SDK. Slots between publish-evaluators and publish-sdk to preserve dependency-correct ordering (server depends on evaluators at runtime).
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
abhinav-galileo
changed the title
| permissions: | ||
| id-token: write | ||
|
|
||
| steps: |
There was a problem hiding this comment.
135-145:
This downloads the single release-dists artifact into the workspace root, then publishes from release-dists/server/dist/. Because the artifact was uploaded from release-dists/, its contents are rooted under server/dist after a direct download to ., so the publish step will likely look in a non-existent directory. Download to path: release-dists or change packages-dir to server/dist/.
There was a problem hiding this comment.
Fixed in 62d6b4e. I changed the download step to use path: release-dists for all publish/release-asset jobs, so the artifact is extracted under release-dists/ and packages-dir: release-dists/server/dist/ resolves consistently.
I kept the existing release-dists/<package>/dist/ publish paths rather than switching only the server job to server/dist/, so all publish jobs use the same layout.
| always() && | ||
| needs.release.outputs.released == 'true' && | ||
| needs.publish-evaluators.result == 'success' | ||
| permissions: |
There was a problem hiding this comment.
PyPA’s trusted publishing flow requires id-token: write and no explicit username/password, so the current mix grants extra permission while still depending on PYPI_API_TOKEN.
There was a problem hiding this comment.
Good point. This workflow is using PyPI token auth today, so id-token: write is unused unless we move to trusted publishing.
I left it unchanged here because the existing publish-models, publish-evaluators, and publish-sdk jobs already use the same pattern: id-token: write plus user: __token__ / PYPI_API_TOKEN. For this PR I want the new server publish job to mirror the existing release jobs rather than make one publish job differ from the rest.
I think the right follow-up is to clean this up consistently across all PyPI publish jobs: either remove id-token: write everywhere while staying on token auth, or migrate all packages to PyPI trusted publishing and remove the explicit username/password.
|
Why do we need to publish this to pypi? |
3 participants
Summary
The release workflow stages `server/dist/` and uploads it to GitHub release assets, but does not currently push the server wheel to PyPI. Models, evaluators, and the SDK are published; the server is not.
This change adds a `publish-server` job between `publish-evaluators` and `publish-sdk`, matching the pattern of the other publish jobs.
Scope
Risk and Rollout
Testing