Skip to content

Update the deploy CI to maximize safety/intent matching #162

Closed
C-Achard wants to merge 3 commits intomainfrom
cy/fix-ci-deploy-tag-safer
Closed

Update the deploy CI to maximize safety/intent matching #162
C-Achard wants to merge 3 commits intomainfrom
cy/fix-ci-deploy-tag-safer

Conversation

@C-Achard
Copy link
Collaborator

@C-Achard C-Achard commented Feb 16, 2026
edited
Loading

Summary

This PR refines the PyPI release workflow to make the release contract more explicit and more deterministic.

The workflow is now:

  • Triggered only by version tags
  • Explicitly tied to the code snapshot being released
  • Guarded by a check that ensures the tag version matches the package version

What changed

  • Restrict the release workflow to run only on v* tags
    • This was relaxed to allow for rc/post tags.
  • Verify that the pushed tag matches the package version before publishing
  • Add a concurrency guard to avoid overlapping release jobs
  • Keep the workflow minimal and backportable
  • Made some parts slightly more concise

Impact

Future releases continue to work as before, with clearer guarantees around
intent and provenance.

@C-Achard
Safer workflow: Update PyPI release workflow
f5b9df1 
Refactor GitHub Actions workflow for PyPI releases:  remove pull_request triggers, and add a checkout step. Simplify dependency installs (install build/twine/packaging together), drop pip cache, and move checkout. Add steps to install the package, verify the git tag matches the package version (using importlib.metadata), separate build and publish steps, and streamline the twine upload command. Also tidy output of built artifacts.
@C-Achard
Allow flexible PyPI tag pattern and add concurrency
79982b3 
Relax tag matching for releases from 'v*.*.*' to 'v*' so post/rc tags are allowed while relying on the existing version check to validate tags. Add a concurrency group (pypi-release-${{ github.ref }}) and set cancel-in-progress: false to better control parallel release runs. Also streamline the twine upload step to a single-line command.
@C-Achard C-Achard self-assigned this Feb 16, 2026
@C-Achard C-Achard added bug Something isn't working enhancement New feature or request labels Feb 16, 2026
@C-Achard C-Achard requested a review from deruyter92 February 16, 2026 15:38
deruyter92
deruyter92 approved these changes Feb 16, 2026
View reviewed changes
Copy link
Collaborator

@deruyter92 deruyter92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch and absolutely good idea to fix this! See one comment below, but LGTM

@C-Achard
Use built wheel for version check in CI
bacf284 
Build distributions earlier in the GitHub Actions workflow and install the generated wheel (pip install dist/*.whl) for the version check instead of running pip install .; remove the duplicate build step. This ensures the tag vs package version verification uses the exact built artifact that will be published.
@MMathisLab
Copy link
Member

MMathisLab commented Feb 16, 2026

I think it is working as I intended it, and matches other pipelines I use, so I would prefer to keep it as is please.

@MMathisLab MMathisLab self-requested a review February 16, 2026 16:56
@MMathisLab MMathisLab closed this Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deruyter92 deruyter92 deruyter92 approved these changes

@MMathisLab MMathisLab Awaiting requested review from MMathisLab

Assignees

@C-Achard C-Achard

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@C-Achard @MMathisLab @deruyter92

Comments