package release #18

dbccccccc · 2025-06-06T04:01:55Z

Summary by CodeRabbit

Chores
- Introduced automated workflows for releasing the package, including both automatic and manual release processes.
- Added workflows to handle version bumping, building, testing, publishing to PyPI, and generating GitHub releases with installation instructions.
- Ensured releases are triggered by specific events, such as version tags or manual input, with automated verification steps.

coderabbitai · 2025-06-06T04:02:03Z

Walkthrough

Three new GitHub Actions workflows are introduced to automate the release process for a Python package. These workflows cover automatic releases on main branch updates, manual releases with a specified version, and releases triggered by version tags. Each workflow manages testing, building, version bumping, publishing to PyPI, tagging, and generating GitHub releases.

Changes

File(s)	Change Summary
.github/workflows/auto-release.yml	Added workflow for automated version bumping, packaging, and releasing on main branch updates.
.github/workflows/manual-release.yml	Added workflow for manual release with version input, including build, publish, and verification.
.github/workflows/release.yml	Added workflow to test, build, and release package to PyPI when a version tag is pushed.

Sequence Diagram(s)

Auto Release Workflow

sequenceDiagram
    participant Dev as Developer
    participant GitHub as GitHub Actions
    participant PyPI as PyPI

    Dev->>GitHub: Push to main or trigger workflow_dispatch
    GitHub->>GitHub: check-changes job (determine need for release & new version)
    alt Release needed
        GitHub->>GitHub: release job (bump version, build, publish)
        GitHub->>PyPI: Publish package
        GitHub->>GitHub: Create tag and GitHub release
    else No release needed
        GitHub-->>Dev: Skip release
    end

Manual Release Workflow

sequenceDiagram
    participant Maintainer as Maintainer
    participant GitHub as GitHub Actions
    participant PyPI as PyPI

    Maintainer->>GitHub: Trigger workflow_dispatch with version input
    GitHub->>GitHub: test job (install & import check)
    GitHub->>GitHub: build-and-release job (bump version, build, publish)
    GitHub->>PyPI: Publish package
    GitHub->>GitHub: Tag and create release
    GitHub->>GitHub: Verify installation from PyPI

Release on Tag Workflow

sequenceDiagram
    participant Dev as Developer
    participant GitHub as GitHub Actions
    participant PyPI as PyPI

    Dev->>GitHub: Push tag v*
    GitHub->>GitHub: test job (multi-version)
    GitHub->>GitHub: build job (build, check, upload artifacts)
    GitHub->>GitHub: release job (publish, create release)
    GitHub->>PyPI: Publish package

Poem

🐇
Three new flows in the garden grow,
Auto, Manual, Tag—they know
How to build, to test, to fly,
And send new packages to PyPI.
With every push and every tag,
The rabbit hops—no need to lag!
Release is easy, quick, and spry.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

.github/workflows/auto-release.yml

+    runs-on: ubuntu-latest
+    outputs:
+      should_release: ${{ steps.check.outputs.should_release }}
+      new_version: ${{ steps.version.outputs.new_version }}
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Check if release needed
+      id: check
+      run: |
+        # Check if there are changes since last tag
+        LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
+        CHANGES=$(git log ${LAST_TAG}..HEAD --oneline --grep="feat\|fix\|BREAKING" | wc -l)
+
+        if [ "$CHANGES" -gt 0 ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+          echo "should_release=true" >> $GITHUB_OUTPUT
+        else
+          echo "should_release=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Calculate new version
+      id: version
+      if: steps.check.outputs.should_release == 'true'
+      run: |
+        # Get current version from pyproject.toml
+        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+        echo "Current version: $CURRENT_VERSION"
+
+        # Determine bump type
+        BUMP_TYPE="${{ github.event.inputs.bump_type || 'patch' }}"
+
+        # Calculate new version (simple implementation)
+        IFS='.' read -ra VERSION_PARTS <<< "$CURRENT_VERSION"
+        MAJOR=${VERSION_PARTS[0]}
+        MINOR=${VERSION_PARTS[1]}
+        PATCH=${VERSION_PARTS[2]}
+
+        case $BUMP_TYPE in
+          major)
+            MAJOR=$((MAJOR + 1))
+            MINOR=0
+            PATCH=0
+            ;;
+          minor)
+            MINOR=$((MINOR + 1))
+            PATCH=0
+            ;;
+          patch)
+            PATCH=$((PATCH + 1))
+            ;;
+        esac
+
+        NEW_VERSION="$MAJOR.$MINOR.$PATCH"
+        echo "New version: $NEW_VERSION"
+        echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+
+  release:


To fix the issue, we will add a permissions block at the root of the workflow file to define the minimal permissions required for the workflow. Based on the tasks performed in the workflow, the following permissions are needed:

contents: write - Required for pushing changes to the repository and creating tags.

packages: write - Required for publishing the package to PyPI.

actions: read - Required for accessing workflow artifacts.

pull-requests: write - Required for interacting with pull requests (if applicable).

The permissions block will be added at the top level of the workflow, ensuring that all jobs inherit these permissions unless overridden.

.github/workflows/auto-release.yml

+    needs: check-changes
+    if: needs.check-changes.outputs.should_release == 'true'
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Update version in pyproject.toml
+      run: |
+        NEW_VERSION="${{ needs.check-changes.outputs.new_version }}"
+        sed -i "s/^version = .*/version = \"$NEW_VERSION\"/" pyproject.toml
+
+        # Also update __init__.py if it exists
+        if [ -f "ttsfm/__init__.py" ]; then
+          sed -i "s/__version__ = .*/__version__ = \"$NEW_VERSION\"/" ttsfm/__init__.py
+        fi
+
+    - name: Commit version bump
+      run: |
+        git config --local user.email "[email protected]"
+        git config --local user.name "GitHub Action"
+        git add pyproject.toml ttsfm/__init__.py
+        git commit -m "bump: version ${{ needs.check-changes.outputs.new_version }}" || exit 0
+        git push
+
+    - name: Create and push tag
+      run: |
+        NEW_VERSION="${{ needs.check-changes.outputs.new_version }}"
+        git tag "v$NEW_VERSION"
+        git push origin "v$NEW_VERSION"
+
+    - name: Install build dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build twine
+
+    - name: Build package
+      run: |
+        python -m build
+
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        password: ${{ secrets.PYPI_API_TOKEN }}
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v1
+      with:
+        tag_name: v${{ needs.check-changes.outputs.new_version }}
+        name: TTSFM v${{ needs.check-changes.outputs.new_version }}
+        body: |
+          ## TTSFM v${{ needs.check-changes.outputs.new_version }}
+
+          Automated release with latest changes.
+
+          ### Installation
+          ```bash
+          pip install ttsfm==${{ needs.check-changes.outputs.new_version }}
+          ```
+
+          ### What's Changed
+          See commit history for detailed changes.
+        draft: false
+        prerelease: false


To fix the issue, we will add a permissions block at the root of the workflow to define the minimal permissions required for the GITHUB_TOKEN. Additionally, we will add job-specific permissions blocks for the check-changes and release jobs to further restrict access. The check-changes job only needs contents: read to check for changes, while the release job requires contents: write to commit changes and push tags, and packages: write to publish to PyPI.

.github/workflows/manual-release.yml

+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e .
+
+    - name: Run basic tests
+      run: |
+        python -c "import ttsfm; print(f'TTSFM imported successfully')"
+        python -c "from ttsfm import TTSClient; print('TTSClient imported successfully')"
+
+  build-and-release:


To fix the issue, we will add a permissions block at the root of the workflow to define the least privileges required for all jobs. Additionally, we will add job-specific permissions blocks where elevated privileges are necessary. For example:

The test job only requires contents: read to check out the repository and run tests.

The build-and-release job requires additional permissions, such as contents: write for pushing changes, packages: write for publishing to PyPI, and pull-requests: write for creating pull requests (if applicable).

This ensures that each job has only the permissions it needs, reducing the risk of misuse.

.github/workflows/manual-release.yml

+    needs: test
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Update version
+      run: |
+        VERSION="${{ github.event.inputs.version }}"
+        sed -i "s/^version = .*/version = \"$VERSION\"/" pyproject.toml
+
+        # Update __init__.py if it exists
+        if [ -f "ttsfm/__init__.py" ]; then
+          sed -i "s/__version__ = .*/__version__ = \"$VERSION\"/" ttsfm/__init__.py
+        fi
+
+    - name: Commit version update
+      run: |
+        git config --local user.email "[email protected]"
+        git config --local user.name "GitHub Action"
+        git add pyproject.toml ttsfm/__init__.py
+        git commit -m "bump: version ${{ github.event.inputs.version }}" || exit 0
+        git push
+
+    - name: Install build dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build twine
+
+    - name: Build package
+      run: |
+        python -m build
+
+    - name: Check package
+      run: |
+        twine check dist/*
+        ls -la dist/
+
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        password: ${{ secrets.PYPI_API_TOKEN }}
+
+    - name: Create and push tag
+      run: |
+        git tag "v${{ github.event.inputs.version }}"
+        git push origin "v${{ github.event.inputs.version }}"
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v1
+      with:
+        tag_name: v${{ github.event.inputs.version }}
+        name: TTSFM v${{ github.event.inputs.version }}
+        body: |
+          ## TTSFM v${{ github.event.inputs.version }}
+
+          Manual release of TTSFM package.
+
+          ### Installation
+          ```bash
+          pip install ttsfm==${{ github.event.inputs.version }}
+          ```
+
+          ### Features
+          - Text-to-Speech API client with OpenAI compatibility
+          - Support for multiple voices and audio formats
+          - Async and sync interfaces
+          - Web interface for testing
+
+          ### Documentation
+          See [GitHub repository](https://github.com/dbccccccc/ttsfm) for full documentation.
+        draft: false
+        prerelease: false
+
+    - name: Verify installation
+      run: |
+        echo "Waiting 30 seconds for PyPI to update..."
+        sleep 30
+
+        pip install ttsfm==${{ github.event.inputs.version }}
+        python -c "import ttsfm; print(f'✅ PyPI installation successful! Version: {ttsfm.__version__}')"


To fix the issue, we will add a permissions block to the workflow. This block will explicitly define the permissions required for each job. For the test job, only contents: read is needed, as it does not perform any write operations. For the build-and-release job, additional permissions such as contents: write and packages: write will be granted, as these are necessary for committing changes, pushing tags, and publishing to PyPI.

.github/workflows/release.yml

+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8, 3.9, '3.10', '3.11', '3.12']
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e .
+
+    - name: Test package import
+      run: |
+        python -c "import ttsfm; print(f'TTSFM imported successfully')"
+        python -c "from ttsfm import TTSClient; print('TTSClient imported successfully')"
+
+  build:


To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for each job. Based on the workflow's steps:

The test and build jobs primarily interact with the repository contents, so they only need contents: read.

The release job uploads artifacts to PyPI and creates a GitHub release, requiring contents: read and packages: write.

The permissions block can be added at the workflow level to apply to all jobs or at the job level for more granular control. In this case, job-specific permissions are preferable for clarity and adherence to the principle of least privilege.

.github/workflows/release.yml

+    needs: test
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install build dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build twine
+
+    - name: Build package
+      run: |
+        python -m build
+
+    - name: Check package
+      run: |
+        twine check dist/*
+        ls -la dist/
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: dist
+        path: dist/
+
+  release:


To fix the issue, we will add a permissions block at the root of the workflow to define minimal permissions for all jobs. Each job will then inherit these permissions unless overridden. Since the workflow involves testing, building, and releasing a Python package, the following permissions are required:

contents: read for accessing repository contents.

packages: write for publishing the package to PyPI.

actions: write for managing workflow artifacts.

pull-requests: write for creating GitHub releases.

We will add the permissions block at the top level of the workflow to ensure all jobs have the necessary permissions while adhering to the principle of least privilege.

.github/workflows/release.yml

+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Download build artifacts
+      uses: actions/download-artifact@v3
+      with:
+        name: dist
+        path: dist/
+
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        password: ${{ secrets.PYPI_API_TOKEN }}
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v1
+      with:
+        body: |
+          ## TTSFM ${{ github.ref_name }}
+
+          Automated release of TTSFM package.
+
+          ### Installation
+          ```bash
+          pip install ttsfm
+          ```
+
+          ### Features
+          - Text-to-Speech API client with OpenAI compatibility
+          - Support for multiple voices and audio formats
+          - Async and sync interfaces
+          - Web interface for testing
+        draft: false
+        prerelease: false


To fix the issue, we will add a permissions block to the workflow to explicitly define the minimal permissions required for each job. For the release job, we will grant contents: read and packages: write permissions, as these are necessary for downloading artifacts and publishing to PyPI. Additionally, we will grant contents: write for creating a GitHub release. For the other jobs (test and build), we will grant only contents: read, as they do not require write permissions.

coderabbitai

Actionable comments posted: 4

🧹 Nitpick comments (3)

.github/workflows/manual-release.yml (1)

28-32: Run full test suite in the test job.

The job currently only performs basic import checks. Consider running your complete test suite (e.g., pytest) to catch regressions before manual release.

.github/workflows/auto-release.yml (2)

11-11: Remove trailing spaces and fix indentation.

YAML lint errors indicate inconsistent indentation and trailing whitespace. Clean up these lines to ensure the workflow is valid and parsable.

Also applies to: 20-20, 30-30, 32-32, 35-35, 42-42, 48-48, 56-56, 59-59, 65-65, 80-80, 89-89, 94-94, 99-99, 104-104, 109-109, 117-117, 123-123, 128-128, 132-132

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 11-11: trailing spaces

(trailing-spaces)

24-24: Add a dedicated test job before version bump.

The workflow currently only checks for changes and bumps versions without running tests. Insert a job to execute the full test suite (e.g., via pytest) to validate package integrity before releasing.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f03b121 and 6eb6ed0.

📒 Files selected for processing (3)

.github/workflows/auto-release.yml (1 hunks)
.github/workflows/manual-release.yml (1 hunks)
.github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

19-19: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

41-41: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

60-60: the runner of "actions/upload-artifact@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

73-73: the runner of "actions/download-artifact@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

84-84: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/auto-release.yml

96-96: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

139-139: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/manual-release.yml

19-19: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

43-43: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

90-90: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 GitHub Check: CodeQL

.github/workflows/release.yml

[warning] 10-33: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

[warning] 34-65: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

[warning] 66-102: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

.github/workflows/auto-release.yml

[warning] 26-85: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

[warning] 86-156: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

.github/workflows/manual-release.yml

[warning] 13-33: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

[warning] 34-121: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🪛 YAMLlint (1.37.1)

.github/workflows/auto-release.yml

[error] 11-11: trailing spaces

(trailing-spaces)

[warning] 20-20: wrong indentation: expected 10 but found 8

(indentation)

[error] 30-30: trailing spaces

(trailing-spaces)

[warning] 32-32: wrong indentation: expected 6 but found 4

(indentation)

[error] 35-35: trailing spaces

(trailing-spaces)

[error] 42-42: trailing spaces

(trailing-spaces)

[error] 48-48: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 59-59: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 80-80: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[warning] 91-91: wrong indentation: expected 6 but found 4

(indentation)

[error] 94-94: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 104-104: trailing spaces

(trailing-spaces)

[error] 109-109: trailing spaces

(trailing-spaces)

[error] 117-117: trailing spaces

(trailing-spaces)

[error] 123-123: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

[error] 132-132: trailing spaces

(trailing-spaces)

coderabbitai · 2025-06-06T04:06:07Z

.github/workflows/release.yml

+    - name: Test package import
+      run: |
+        python -c "import ttsfm; print(f'TTSFM imported successfully')"
+        python -c "from ttsfm import TTSClient; print('TTSClient imported successfully')"
+


🛠️ Refactor suggestion

Expand the test job to run the full test suite.

Currently only import checks are executed. It’s best to invoke your test runner (e.g., pytest) to validate functionality before release.

🤖 Prompt for AI Agents

In .github/workflows/release.yml around lines 28 to 32, the test job only runs import checks for the package. To ensure full validation before release, modify the test step to run the complete test suite using the appropriate test runner like pytest. Replace or supplement the current import commands with a command to execute all tests, ensuring the package functionality is fully verified.

coderabbitai · 2025-06-06T04:06:07Z

.github/workflows/release.yml

+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - 'v*'  # Triggers on version tags like v1.0.0, v3.0.0, etc.
+


🛠️ Refactor suggestion

Add explicit permissions block to tighten GITHUB_TOKEN scope.

By default the workflow inherits broad write permissions. Define a minimal permissions block at the top to limit token scope:

permissions: contents: read packages: write # for PyPI publishing id-token: write # if you use OIDC

🤖 Prompt for AI Agents

In .github/workflows/release.yml at the top of the file (lines 1 to 7), add an explicit permissions block to restrict the GITHUB_TOKEN scope. Define minimal permissions by adding a permissions section with contents set to read, packages set to write for PyPI publishing, and id-token set to write if OIDC is used. This will tighten security by limiting token access to only what is necessary.

coderabbitai · 2025-06-06T04:06:08Z

.github/workflows/manual-release.yml

+name: Manual Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to release (e.g., 3.0.1)'
+        required: true
+        type: string


🛠️ Refactor suggestion

Add explicit permissions block to restrict GITHUB_TOKEN scope.

Workflows should declare minimal permissions for the GITHUB_TOKEN to adhere to the principle of least privilege:

permissions: contents: read packages: write

🤖 Prompt for AI Agents

In .github/workflows/manual-release.yml at the beginning of the file (lines 1 to 9), add an explicit permissions block to restrict the GITHUB_TOKEN scope. Insert a permissions section with contents set to read and packages set to write to ensure the workflow uses minimal required permissions following the principle of least privilege.

coderabbitai · 2025-06-06T04:06:08Z

.github/workflows/auto-release.yml

+name: Auto Release
+
+on:
+  push:
+    branches:
+      - main
+    paths:


🛠️ Refactor suggestion

Add explicit permissions block to restrict GITHUB_TOKEN scope.

Define a minimal permissions block to reduce token privileges:

permissions: contents: read packages: write

🤖 Prompt for AI Agents

In .github/workflows/auto-release.yml at the beginning of the file (lines 1 to 7), add an explicit permissions block under the workflow name to restrict the GITHUB_TOKEN scope. Define the permissions block with minimal required privileges by setting contents to read and packages to write. This limits token access and enhances security for the workflow.

package release

6eb6ed0

github-advanced-security bot found potential problems Jun 6, 2025

View reviewed changes

coderabbitai bot reviewed Jun 6, 2025

View reviewed changes

dbccccccc merged commit 5400492 into main Jun 6, 2025
7 checks passed

dbccccccc deleted the v3-preview branch August 21, 2025 07:56

@@ -2,2 +2,8 @@
+            permissions:
+              contents: write
+              packages: write
+              actions: read
+              pull-requests: write
             on:

package release #18

package release #18

Uh oh!

Conversation

dbccccccc commented Jun 6, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jun 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Auto Release Workflow

Manual Release Workflow

Release on Tag Workflow

Poem

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dbccccccc commented Jun 6, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jun 6, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)