correct behavior for publishing dev builds to test.pypi. add test dependency to main publish workflow so we are less likely to publish a broken build

tipatterson-dev · tipatterson-dev · commit 5f2f289edd28 · 2026-05-01T23:45:59.000-05:00
diff --git a/.github/workflows/publish-test.yml b/.github/workflows/publish-test.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,27 +1,67 @@
-name: publish.yml
+name: Publish (PyPI)
+
+# Publishes any tag starting with 'v' (e.g. v1.0, v0.5.1a0) to PyPI via OIDC
+# trusted publishing. The publish job is gated on the full pytest matrix
+# passing on the tagged commit — we don't ship a release that fails CI.
 on:
   push:
     tags:
-      # publishes any tag starting with 'v' as in 'v1.0'
       - v*
 
+permissions: {}
+
 jobs:
-  run:
+  # Re-run the full test matrix on the tagged commit. Yes, this is similar
+  # to tests.yaml — but a release deserves an explicit, self-contained gate
+  # rather than a `workflow_run` dependency on another workflow's run (which
+  # would only work if tests.yaml was on the default branch at the time of
+  # the tag, a footgun).
+  tests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: true
+      matrix:
+        python-version: [ "3.12", "3.13", "3.14" ]
+    name: pytest (Python ${{ matrix.python-version }})
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Install Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: uv sync --all-extras --python ${{ matrix.python-version }}
+
+      - name: Run pytest
+        run: |
+          uv run --python ${{ matrix.python-version }} pytest -v -m "not network"
+
+  publish:
+    needs: tests
     runs-on: ubuntu-latest
     environment:
       name: publish
     permissions:
-      id-token: write
+      id-token: write   # OIDC trusted publishing
       contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+
       - name: Install uv
         uses: astral-sh/setup-uv@v6
+
       - name: Install Python 3.13
         run: uv python install 3.13
+
       - name: Build
         run: uv build
-        # Need to add a test that verifies the builds
-      - name: Publish
+
+      - name: Publish to PyPI
         run: uv publish
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -1,6 +1,10 @@
 name: Tests
 on:
   push:
+    # Tag pushes (v*) are handled by publish.yml, which runs the same matrix
+    # before publishing — skip here to avoid running the suite twice.
+    tags-ignore:
+      - '**'
     paths-ignore:
       - 'docs/**'
       - 'README.md'
@@ -61,4 +65,66 @@ jobs:
           name: coverage-${{ matrix.python-version }}
           path: coverage.xml
           if-no-files-found: warn
-          retention-days: 7
+          retention-days: 7
+
+  # Publish a `.devN` pre-release wheel to TestPyPI on every push to dev,
+  # gated on the full pytest matrix passing. Lives in this workflow (rather
+  # than a separate `workflow_run`-triggered file) so that the gate is a
+  # plain `needs:` dependency — `workflow_run` only fires from workflows
+  # that exist on the default branch, which is a maintenance footgun.
+  #
+  # One-time setup required at https://test.pypi.org/manage/account/publishing/
+  #   Owner: Botts-Innovative-Research
+  #   Repo:  OSHConnect-Python
+  #   Workflow: tests.yaml
+  #   Environment: publish-test
+  # And in this repo's Settings -> Environments, create env `publish-test`.
+  publish-test:
+    needs: pytest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
+    runs-on: ubuntu-latest
+    environment:
+      name: publish-test
+      url: https://test.pypi.org/project/oshconnect/
+    permissions:
+      id-token: write   # OIDC trusted publishing
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Install Python 3.13
+        run: uv python install 3.13
+
+      # Append `.dev<run_number>` to the version in pyproject.toml so each
+      # dev push gets a fresh PEP 440-compliant pre-release (e.g.
+      # 0.5.1a0 -> 0.5.1a0.dev42). The change lives only on the runner.
+      - name: Auto-bump version with .devN suffix
+        run: |
+          python - <<'PY'
+          import os, pathlib, re
+          run = os.environ['GITHUB_RUN_NUMBER']
+          p = pathlib.Path('pyproject.toml')
+          src = p.read_text()
+          new = re.sub(
+              r'^(version\s*=\s*")([^"]+)(")',
+              lambda m: f'{m.group(1)}{m.group(2)}.dev{run}{m.group(3)}',
+              src, count=1, flags=re.M,
+          )
+          if new == src:
+              raise SystemExit('No `version = "..."` line found in pyproject.toml')
+          p.write_text(new)
+          for line in new.splitlines():
+              if line.startswith('version'):
+                  print(f'Bumped {line}')
+                  break
+          PY
+
+      - name: Build
+        run: uv build
+
+      - name: Publish to TestPyPI
+        run: uv publish --publish-url https://test.pypi.org/legacy/
