ci: auto-publish to PyPI on main push (OIDC trusted publishing)#189
Merged
Conversation
mnemon was the fleet outlier still publishing via the manual scripts/promote_stable.sh pipeline, which left rc7 (and historically other rcs) on main but unpublished. Add publish.yml mirroring alpha-engine-lib / morning-signal: build sdist+wheel + twine check, then publish via OIDC trusted publishing on every push to main, idempotent via skip-existing so no-version-bump merges are a clean no-op. promote_stable.sh stays for manual/stable releases + recovery; workflow_dispatch covers the one-time pending-trusted-publisher bootstrap and failed-first-attempt reruns. Requires a one-time PyPI-side step (operator): add a trusted publisher to the mnemon-memory project (owner=cipher813, repo=mnemon, workflow=publish.yml, environment=pypi) before the first run can publish. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
You asked why mnemon doesn't just auto-publish on merge like the rest of the fleet. No good reason — it was the outlier.
alpha-engine-libandmorning-signalboth auto-publish on main-push via OIDC trusted publishing; mnemon kept a manualscripts/promote_stable.shpipeline, which is how rc7 (and historically other rcs) ended up sitting onmainwhile PyPI lagged.What
publish.ymlmirroring the two existing fleet workflows exactly:python -m build(sdist + wheel) +twine check.pypa/gh-action-pypi-publishvia OIDC trusted publishing (id-token: write,environment: pypi, no API-token secret),skip-existing: true.push: branches: [main](the merge itself) +workflow_dispatchfor manual/recovery.A version bump auto-publishes on merge; an unchanged version is a clean no-op (skip-existing).
promote_stable.shstays for manual/stable releases and recovery.Tradeoff (called out)
The manual pipeline had a
testpypipre-flight + layer3 tool-exercise smoke that auto-on-main drops. CI already gates every merge on the full suite (1012 tests), so this is a modest loss and matches the fleet convention.promote_stable.shremains for when the full gated flow is wanted (stable releases).OIDC trusted publishing needs a trusted publisher configured on PyPI (account-side, only you can do it). On pypi.org →
mnemon-memory→ Settings → Publishing → Add a trusted publisher:cipher813· Repository:mnemon· Workflow:publish.yml· Environment:pypiUntil that's added, the build job passes but the publish job will fail auth on the first run. After adding it, re-run via
workflow_dispatch(or it fires on the next main push). The first successful run will publish the current version — rc7 (currently onmain, not yet on PyPI).Note
mnemon's
pyproject.tomldescriptionis 54 chars — well under PyPI's 512-char core-metadata cap (the gotcha that bit alpha-engine-lib), so no guard needed here.🤖 Generated with Claude Code