Skip to content

ci: dedup PyPI publish trigger and bump actions to Node 24#31

Merged
hampsterx merged 1 commit into
masterfrom
ci/workflows-node24-publish-dedup
Jul 1, 2026
Merged

ci: dedup PyPI publish trigger and bump actions to Node 24#31
hampsterx merged 1 commit into
masterfrom
ci/workflows-node24-publish-dedup

Conversation

@hampsterx

@hampsterx hampsterx commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fix every GitHub Release showing a failed Build and Publish to PyPI run. The workflow fired on both push: tags and release: published; a published Release creates the tag, so both triggers launched a publish job, they raced, and the loser failed with 400 File already exists. Drop the release trigger and keep push: tags (a published Release still creates the tag, and bare tag pushes like 1.4.1 keep working), plus add skip-existing: true as a re-run guard.
  • Clear the Node 20 runtime deprecation warnings across all three workflows by bumping each action to its first Node 24 major: checkout v5, setup-python v6, cache v6, upload-artifact v6, download-artifact v7.
  • Update codecov-action v3 → v5 with its breaking input rename file:files: (v5 is a composite action, no Node runtime).
  • Simplify the publish-test (TestPyPI) job to manual, non-tag workflow_dispatch only, removing a dead branch-push clause and preventing a manual dispatch on a tag ref from publishing to both PyPI and TestPyPI.
  • Harden every actions/checkout step with persist-credentials: false so no writable git token is left on disk. None of these jobs push (the CI black-format step commits locally only), so nothing relies on the persisted credential.

Review

Internal: 1 auto-fixed (dead TestPyPI clause). External (Codex + Kimi-agentic): 1 applied (dispatch-on-tag double-publish guard), no blocking issues. CodeRabbit: 3 persist-credentials nitpicks, all applied.

Changes

 .github/workflows/ci.yml      | 18 +++++++++++-------
 .github/workflows/publish.yml | 34 ++++++++++++++++++----------------
 .github/workflows/test.yml    |  6 ++++--
 3 files changed, 33 insertions(+), 25 deletions(-)

Test plan

  • All three workflow YAMLs parse (yaml.safe_load)
  • Every bumped action confirmed node24 (or composite) via its action.yml runs.using
  • All pinned tags exist on the upstream action repos
  • Full CI matrix (Build + Test 3.9–3.12 on both workflows) green on the Node 24 actions
  • Next tagged release produces exactly one publish run (no duplicate 400)

Backwards compatibility

No package or API changes. CI/release infrastructure only. Existing release flow is unchanged for maintainers: publishing a GitHub Release (or pushing a version tag) still publishes to PyPI, now via a single run instead of a racing pair.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 33 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5b421bf-149b-4d20-9dd4-7301841b929e

📥 Commits

Reviewing files that changed from the base of the PR and between 9e8970a and 8547ff2.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .github/workflows/publish.yml
  • .github/workflows/test.yml

Walkthrough

GitHub Actions workflows (ci.yml, publish.yml, test.yml) are updated to use newer major versions of checkout, setup-python, cache, codecov, upload-artifact, and download-artifact actions. The publish workflow's triggers and job conditions are restricted to version tag pushes and manual dispatch, with skip-existing added for PyPI publishing.

Changes

CI/CD Workflow Upgrades

Layer / File(s) Summary
CI and test workflow action upgrades
.github/workflows/ci.yml, .github/workflows/test.yml
Checkout, setup-python, cache, and codecov actions are bumped to newer major versions across CI and test jobs; codecov input field renamed from file to files.
Publish workflow setup and build upgrades
.github/workflows/publish.yml
Test and build job steps in publish.yml adopt the same newer checkout/setup-python/codecov versions, plus upload-artifact bumped to v6.
Publish trigger and job condition changes
.github/workflows/publish.yml
Publish triggers restricted to tag pushes and manual dispatch (removing release event), PyPI job gated on tag refs with skip-existing: true, TestPyPI job restricted to manual non-tag dispatch, and download-artifact bumped to v7.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
    participant Trigger as Push/Dispatch
    participant Publish as Publish Workflow
    participant Build as Build Job
    participant PyPI as PyPI Publish
    participant TestPyPI as TestPyPI Publish

    Trigger->>Publish: push tag / workflow_dispatch
    Publish->>Build: run checkout, setup, tests, build
    Build->>Publish: upload artifact
    alt ref starts with refs/tags/
        Publish->>PyPI: download artifact, publish (skip-existing)
    else manual non-tag dispatch
        Publish->>TestPyPI: download artifact, publish
    end
Loading

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

A rabbit hops through YAML fields so neat,
Upgrading actions, v3 to v6 — a treat!
Tags now guide where packages go,
Skip-existing saves a re-run woe.
Hop, hop, ship it — CI's aglow! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main workflow changes: deduplicating PyPI publish triggers and upgrading actions for Node 24 compatibility.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflows-node24-publish-dedup

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • LINEAR integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
.github/workflows/publish.yml (1)

18-18: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add persist-credentials: false to both checkout steps.

Same artipacked flag as in ci.yml/test.yml. This job additionally does a full-history checkout (fetch-depth: 0), so the persisted credential window covers more of the job.

Also applies to: 53-55

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 18, The checkout steps in this
workflow are still persisting credentials; update both uses of actions/checkout
in the publish job to set persist-credentials to false, matching the ci.yml and
test.yml pattern. Apply this to both checkout entries in the job, including the
full-history checkout that uses fetch-depth: 0, so the credentials are not left
available for the rest of the workflow.

Source: Linters/SAST tools

.github/workflows/ci.yml (1)

18-18: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider persist-credentials: false on checkout steps.

Both checkout steps (test job and build job) rely on default credential persistence. Static analysis flags this as artipacked; a compromised transitive dependency pulled in by the subsequent pip install -e . step could read the persisted git token from disk. Neither job appears to need push/write access here.

🔒 Suggested fix
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false

Apply the same change to the build job's checkout (Line 81).

Also applies to: 81-81

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 18, Add persist-credentials: false to both
actions/checkout@v5 steps in the CI workflow so the jobs do not leave a writable
git token on disk. Update the checkout used in the test job and the matching
checkout in the build job, since neither job needs repo write access and the
later pip install -e . step should not be able to read persisted credentials.

Source: Linters/SAST tools

.github/workflows/test.yml (1)

17-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Same persist-credentials hardening applies here.

See the equivalent comment in ci.yml — add persist-credentials: false to this checkout step as well.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml at line 17, The checkout step in the workflow
still uses the default persisted Git credentials, so harden this
`actions/checkout` usage by setting `persist-credentials: false` on the same
step. Update the checkout configuration in this workflow to match the hardened
pattern used elsewhere, keeping the change localized to the `actions/checkout`
entry.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 18: Add persist-credentials: false to both actions/checkout@v5 steps in
the CI workflow so the jobs do not leave a writable git token on disk. Update
the checkout used in the test job and the matching checkout in the build job,
since neither job needs repo write access and the later pip install -e . step
should not be able to read persisted credentials.

In @.github/workflows/publish.yml:
- Line 18: The checkout steps in this workflow are still persisting credentials;
update both uses of actions/checkout in the publish job to set
persist-credentials to false, matching the ci.yml and test.yml pattern. Apply
this to both checkout entries in the job, including the full-history checkout
that uses fetch-depth: 0, so the credentials are not left available for the rest
of the workflow.

In @.github/workflows/test.yml:
- Line 17: The checkout step in the workflow still uses the default persisted
Git credentials, so harden this `actions/checkout` usage by setting
`persist-credentials: false` on the same step. Update the checkout configuration
in this workflow to match the hardened pattern used elsewhere, keeping the
change localized to the `actions/checkout` entry.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f75620ed-c442-4e89-811b-f92654ac3604

📥 Commits

Reviewing files that changed from the base of the PR and between b9e7687 and 9e8970a.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .github/workflows/publish.yml
  • .github/workflows/test.yml

- Fix every GitHub Release showing a failed "Build and Publish to PyPI" run:
  the workflow fired on both `push: tags` and `release: published`, so two
  publish jobs raced and the loser hit `400 File already exists`. Drop the
  `release` trigger (a published Release still creates the tag, so `push: tags`
  covers both the Release and bare-tag flows) and add `skip-existing: true` as
  a re-run guard.
- Clear the Node 20 runtime deprecation warnings across all three workflows by
  bumping each action to its first Node 24 major: checkout v5, setup-python v6,
  cache v6, upload-artifact v6, download-artifact v7.
- Update codecov-action v3 to v5 with its breaking input rename `file:` to
  `files:` (v5 is a composite action, no Node runtime).
- Restrict the TestPyPI job to manual non-tag dispatch only, and set
  `persist-credentials: false` on every checkout so no writable git token is
  left on disk (none of these jobs push).
@hampsterx hampsterx force-pushed the ci/workflows-node24-publish-dedup branch from 9e8970a to 8547ff2 Compare July 1, 2026 22:16
@hampsterx

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@hampsterx hampsterx merged commit 19cb0d1 into master Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant