ci: automate release pipeline (draft release, PyPI trigger, e2e skip fixes)#416
Open
jacalata wants to merge 10 commits into
Open
ci: automate release pipeline (draft release, PyPI trigger, e2e skip fixes)#416jacalata wants to merge 10 commits into
jacalata wants to merge 10 commits into
Conversation
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- release-on-merge.yml: on push to main, auto-computes next patch version, pushes the git tag (which triggers package.yml to build binaries), and creates a draft GitHub release with auto-generated notes for human review before publishing - publish-pypi.yml: add release:published trigger so clicking "Publish release" in GitHub UI automatically uploads to PyPI; fix is_draft conditionals to work when triggered without inputs - run-e2-tests.yml: add workflow_call interface (inputs + secrets) so the e2e suite can be called from other workflows; move credentials to env vars to avoid shell injection - online_tests.py: set site_admin=False to match actual account permissions; add skip guard on test_delete_extract (requires extract encryption, not available on this site) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binaries are now uploaded to the draft release created by release-on-merge.yml without auto-publishing it. Release stays draft until manually published, which then triggers PyPI upload. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- publish-pypi.yml: remove dead `push: tags: 'pypi'` trigger (secret publish path bypassing the draft-release gate); make publish conditionals explicit using github.event_name so the trigger surface is unambiguous rather than relying on null coercion - release-on-merge.yml: filter tags to strict semver regex before sorting (prevents arithmetic failure on malformed tags); fail loudly if no prior tag exists instead of silently defaulting to v2.0.1; align checkout to actions/checkout@v7 - online_tests.py: suppress argv printing when login args (including PAT token) are present, preventing credential leak in CI logs Tracking: tableau#417 (PyPI trusted publishing / OIDC) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MishaKav/pytest-coverage-comment@main updated and now fails with permission denied on fork PRs (GITHUB_TOKEN is read-only for pull_request events from forks). Coverage is still collected and reported; only the PR comment step fails. Mark it continue-on-error so CI stays green. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously server_admin/site_admin/project_admin/extract_encryption_enabled were hardcoded in online_tests.py. Now they are read from env vars (E2E_SITE_ADMIN, E2E_SERVER_ADMIN, E2E_PROJECT_ADMIN, E2E_EXTRACT_ENCRYPTION) so callers can enable the relevant test groups for their account permissions. workflow_dispatch: adds optional boolean choice inputs for each flag workflow_call: adds optional boolean inputs (default false) online_tests.py: reads flags from env via _env_bool(), defaults unchanged Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously get_login_args() raised AttributeError when credentials.py
was not present (ImportError silently set credentials = {}). Now returns
None and _test_command skips with a clear message instead of crashing.
Also removes redundant second call to get_login_args() in _test_command.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Automates the release pipeline by creating a draft GitHub Release and tag on merges to main, publishing to PyPI on “Release published”, and improving e2e workflow reusability/skip behavior.
Changes:
- Added
release-on-merge.ymlto auto-tag and create a draft release on pushes tomain. - Updated PyPI publishing to trigger on GitHub Release publication (and removed the literal
pypitag trigger). - Extended e2e workflow inputs and adjusted e2e test code to use env-configured permission flags and skip more gracefully.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/e2e/setup_e2e.py | Makes get_login_args() return None when credentials.py is absent (but needs env fallback to keep CI e2e running). |
| tests/e2e/online_tests.py | Reads permission flags from env and skips gracefully when credentials are unavailable; avoids printing argv when login args include sensitive values. |
| .github/workflows/run-tests.yml | Bumps actions/checkout major version. |
| .github/workflows/run-e2-tests.yml | Adds workflow_call and typed inputs/secrets; passes creds/flags via env; bumps actions/checkout major version. |
| .github/workflows/release-on-merge.yml | New workflow to compute next patch tag, push it, and create a draft GitHub release with generated notes. |
| .github/workflows/publish-pypi.yml | Switches publishing trigger to release: published, removes push: tags: pypi, and tightens publish conditionals; bumps actions/checkout major version. |
| .github/workflows/package.yml | Removes promote: true, bumps actions/checkout major version, and bumps actions/upload-artifact major version. |
| .github/workflows/generate-metadata.yml | Bumps actions/checkout major version. |
| .github/workflows/codeql-analysis.yml | Bumps actions/checkout major version. |
| .github/workflows/check-coverage.yml | Bumps actions/checkout major version; makes coverage comment step continue-on-error. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
51
to
55
| def get_login_args(): | ||
| if not _has_credentials: | ||
| return None | ||
| return [ | ||
| "--server", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #232
Summary
Automates the release pipeline so that merging to `main` is the only manual step beyond reviewing and publishing a draft.
New file: `release-on-merge.yml`
Triggers on push to `main`. Computes the next patch version from the last strict semver tag (`grep -E '^v[0-9]+.[0-9]+.[0-9]+$'`), pushes the tag (which triggers `package.yml` to build Windows/macOS/Linux binaries and attach them to the release), and creates a draft GitHub release with auto-generated notes. Fails loudly if no prior tag is found rather than silently defaulting to a potentially-colliding version.
Modified: `publish-pypi.yml`
Modified: `run-e2-tests.yml`
Modified: `package.yml`
Modified: `online_tests.py` and `setup_e2e.py`
Modified: `check-coverage.yml`
New release checklist (after this merges)
Security review findings addressed
Test plan
🤖 Generated with Claude Code