chore(ci): refactor wheel release process (#312)

mckornfield · kendrickb-nvidia · web-flow · commit ad93dcaf37b5 · 2026-04-01T10:43:14.000-07:00
* The NeMoFW release job currently pushes commits, which
doesn't make sense with uv's tagging conventions,
switched us to a local version that just builds the wheel
and
* Also creates a github release

---------

Signed-off-by: Matt Kornfield &lt;mkornfield@nvidia.com&gt;
Signed-off-by: Matt Kornfield &lt;mckornfield@gmail.com&gt;
Co-authored-by: Kendrick Boyd &lt;kendrickb@nvidia.com&gt;
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -15,8 +15,7 @@ All workflows that use `.github/actions/setup-python-env` now default to the ver
 | [gpu-tests.yml](gpu-tests.yml)                     | Push to `main`/`pull-request/*`, manual  | GPU smoke tests (required) and E2E tests (A100)       |
 | [conventional-commit.yml](conventional-commit.yml) | PRs                                      | Validates PR titles follow conventional commit format |
 | [docs.yml](docs.yml)                               | Push to `main` (docs paths)              | Builds and deploys documentation to GitHub Pages      |
-| [internal-release.yml](internal-release.yml)       | Tag push (`v[0-9]*`), manual dispatch    | Builds and publishes wheel to Artifactory or PyPI     |
-| [release.yml](release.yml)                         | Manual dispatch                          | Builds and publishes package to PyPI (production)     |
+| [release.yml](release.yml)                         | Manual dispatch                          | Builds and publishes package to Test PyPI or PyPI (production)     |
 | [secrets-detector.yml](secrets-detector.yml)       | PRs                                      | Scans for accidentally committed secrets              |
 
 ## Pull Request Testing (copy-pr-bot)
diff --git a/.github/workflows/internal-release.yml b/.github/workflows/internal-release.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# ---------------------------------------------------------------------------
+# Release: build wheel, publish to PyPI (or Test PyPI on dry-run), and
+# optionally create a GitHub release.
+#
+# No version-bump PR, no docs upload, no dummy branch push.
+# ---------------------------------------------------------------------------
+
 name: "Release NeMo Safe Synthesizer"
 
 on:
@@ -22,7 +29,7 @@ on:
         required: true
         type: string
       dry-run:
-        description: "Dry Run: only publish to test PyPI"
+        description: "Dry Run: only publish to Test PyPI"
         required: true
         default: true
         type: boolean
@@ -31,34 +38,106 @@ on:
         required: true
         default: true
         type: boolean
-      version-bump-branch:
-        description: Branch to push the version bump
-        required: true
-        type: string
+
+defaults:
+  run:
+    shell: bash -x -e -u -o pipefail {0}
 
 permissions:
   contents: write
-  pull-requests: write
 
 jobs:
-  release:
-    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_release_library.yml@v0.81.1
-    with:
-      release-ref: ${{ inputs.release-ref }}
-      python-package: nemo_safe_synthesizer
-      library-name: NeMo Safe Synthesizer
-      dry-run: ${{ inputs.dry-run }}
-      version-bump-branch: ${{ inputs.version-bump-branch }}
-      create-gh-release: ${{ inputs.create-gh-release }}
-      packaging: uv
-      has-src-dir: true
-      app-id: ${{ vars.BOT_ID }}
-    secrets:
-      TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
-      TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
-      SLACK_WEBHOOK_ADMIN: ${{ secrets.SLACK_WEBHOOK_ADMIN }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_RELEASE_ENDPOINT }}
-      PAT: ${{ secrets.PAT }}
-      SSH_KEY: ${{ secrets.SSH_KEY }}
-      SSH_PWD: ${{ secrets.SSH_PWD }}
-      BOT_KEY: ${{ secrets.BOT_KEY }}
+  publish-wheel:
+    name: Publish wheel (${{ inputs.dry-run && 'Test PyPI' || 'PyPI' }})
+    runs-on: linux-amd64-cpu4
+    outputs:
+      version: ${{ steps.build.outputs.version }}
+    steps:
+      - name: Checkout at release ref
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.release-ref }}
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: ".python-version"
+
+      - name: Build wheel
+        id: build
+        run: |
+          make build-wheel
+          WHEEL=$(ls dist/*.whl)
+          VERSION=$(echo "$WHEEL" | sed -n 's/.*-\([0-9][^-]*\)-.*/\1/p')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Built: $WHEEL (version $VERSION)"
+
+      - uses: actions/upload-artifact@v7
+        with:
+          name: nemo-safe-synthesizer-${{ steps.build.outputs.version }}
+          path: dist/*.whl
+          retention-days: 90
+
+      - name: Publish to Test PyPI (always, as pre-flight)
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_PERSONAL_TOKEN }}
+        run: |
+          uvx twine upload \
+            --repository-url https://test.pypi.org/legacy/ \
+            --skip-existing \
+            --non-interactive \
+            --verbose \
+            dist/*.whl
+
+      - name: Publish to PyPI
+        if: ${{ !inputs.dry-run }}
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_PERSONAL_TOKEN }}
+        run: |
+          uvx twine upload \
+            --non-interactive \
+            --verbose \
+            dist/*.whl
+
+  create-gh-release:
+    name: Create GitHub release
+    needs: publish-wheel
+    if: ${{ inputs.create-gh-release }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout at release ref
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.release-ref }}
+          fetch-depth: 0
+
+      - name: Download wheel artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: nemo-safe-synthesizer-${{ needs.publish-wheel.outputs.version }}
+          path: dist/
+
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ needs.publish-wheel.outputs.version }}
+        run: |
+          PRERELEASE_FLAG=""
+          if echo "$VERSION" | grep -qE '(rc|alpha|beta|\.dev)'; then
+            PRERELEASE_FLAG="--prerelease"
+          fi
+
+          gh release create "v${VERSION}" \
+            dist/*.whl \
+            --title "v${VERSION}" \
+            --notes-file CHANGELOG.md \
+            $PRERELEASE_FLAG
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -20,6 +20,7 @@ Please read our [Code of Conduct](CODE_OF_CONDUCT.md) before contributing.
 - [Code Style](#code-style)
 - [Documentation](#documentation)
 - [AI Agents](#ai-agents)
+- [Releasing](#releasing)
 - [NMP Integration](#nmp-integration)
 
 ## Getting Started
@@ -582,6 +583,51 @@ Conventions defined in `AGENTS.md` (code style, markdown style, testing, etc.) a
 
 Before contributing, run `make format` and `make check`. See `AGENTS.md` for full conventions.
 
+## Releasing
+
+Releases are published to PyPI via the **Release NeMo Safe Synthesizer** GitHub Actions workflow. The workflow builds the wheel from a git tag, publishes to Test PyPI as a pre-flight check, and optionally publishes to the real PyPI and creates a GitHub release.
+
+### 1. Create and push a tag
+
+Tags must follow [Semantic Versioning](#semantic-versioning-for-tags). For release candidates, use the `rcN` pre-release suffix:
+
+```bash
+# Stable release
+git tag 0.1.0 <commit-sha>
+
+# Release candidate
+git tag 0.1.0rc1 <commit-sha>
+
+git push origin <tag>
+```
+
+### 2. Run the workflow
+
+Trigger the workflow from the GitHub UI or via `gh`:
+
+**GitHub UI:** Go to **Actions → Release NeMo Safe Synthesizer → Run workflow** and fill in the inputs.
+
+**CLI:**
+
+```bash
+gh workflow run release.yml \
+  --field release-ref=<tag> \
+  --field dry-run=true \
+  --field create-gh-release=false
+```
+
+### 3. Inputs
+
+| Input | Description | Default |
+|---|---|---|
+| `release-ref` | Full SHA or tag to build from | required |
+| `dry-run` | Publish to Test PyPI only; skip real PyPI | `true` |
+| `create-gh-release` | Create a GitHub release and attach the wheel | `true` |
+
+**Dry-run mode** (default): builds the wheel and publishes it to [Test PyPI](https://test.pypi.org/) only. Use this to verify the package before a real release. The workflow always publishes to Test PyPI regardless of `dry-run`.
+
+**Real release**: uncheck `dry-run` (or pass `--field dry-run=false`) to also publish to the real [PyPI](https://pypi.org/). Pre-release tags (`rc`, `alpha`, `beta`, `.dev`) are automatically marked as pre-releases on both PyPI and GitHub.
+
 ## NMP Integration
 
 NeMo Safe Synthesizer is developed as a standalone package and published to PyPI and optionally published to the internal NVIDIA Artifactory. The NeMo Platform (NMP) consumes it as an external dependency.
