Skip to content

package release #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 6, 2025
Merged

package release #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 156 additions & 0 deletions .github/workflows/auto-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
name: Auto Release

on:
push:
branches:
- main
paths:
Comment on lines +1 to +7
Copy link

@coderabbitai coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add explicit permissions block to restrict GITHUB_TOKEN scope.

Define a minimal permissions block to reduce token privileges:

permissions:
  contents: read
  packages: write
🤖 Prompt for AI Agents 
In .github/workflows/auto-release.yml at the beginning of the file (lines 1 to
7), add an explicit permissions block under the workflow name to restrict the
GITHUB_TOKEN scope. Define the permissions block with minimal required
privileges by setting contents to read and packages to write. This limits token
access and enhances security for the workflow.

- 'ttsfm/**'
- 'pyproject.toml'
- 'README.md'

workflow_dispatch:
inputs:
bump_type:
description: 'Version bump type'
required: true
default: 'patch'
type: choice
options:
- patch
- minor
- major

jobs:
check-changes:
runs-on: ubuntu-latest
outputs:
should_release: ${{ steps.check.outputs.should_release }}
new_version: ${{ steps.version.outputs.new_version }}

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Check if release needed
id: check
run: |
# Check if there are changes since last tag
LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
CHANGES=$(git log ${LAST_TAG}..HEAD --oneline --grep="feat\|fix\|BREAKING" | wc -l)

if [ "$CHANGES" -gt 0 ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "should_release=true" >> $GITHUB_OUTPUT
else
echo "should_release=false" >> $GITHUB_OUTPUT
fi

- name: Calculate new version
id: version
if: steps.check.outputs.should_release == 'true'
run: |
# Get current version from pyproject.toml
CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
echo "Current version: $CURRENT_VERSION"

# Determine bump type
BUMP_TYPE="${{ github.event.inputs.bump_type || 'patch' }}"

# Calculate new version (simple implementation)
IFS='.' read -ra VERSION_PARTS <<< "$CURRENT_VERSION"
MAJOR=${VERSION_PARTS[0]}
MINOR=${VERSION_PARTS[1]}
PATCH=${VERSION_PARTS[2]}

case $BUMP_TYPE in
major)
MAJOR=$((MAJOR + 1))
MINOR=0
PATCH=0
;;
minor)
MINOR=$((MINOR + 1))
PATCH=0
;;
patch)
PATCH=$((PATCH + 1))
;;
esac

NEW_VERSION="$MAJOR.$MINOR.$PATCH"
echo "New version: $NEW_VERSION"
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT

release:
Comment on lines +26 to +85

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root of the workflow file to define the minimal permissions required for the workflow. Based on the tasks performed in the workflow, the following permissions are needed:

  1. contents: write - Required for pushing changes to the repository and creating tags.
  2. packages: write - Required for publishing the package to PyPI.
  3. actions: read - Required for accessing workflow artifacts.
  4. pull-requests: write - Required for interacting with pull requests (if applicable).

The permissions block will be added at the top level of the workflow, ensuring that all jobs inherit these permissions unless overridden.

Suggested changeset 1
.github/workflows/auto-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -2,2 +2,8 @@
 
+permissions:
+  contents: write
+  packages: write
+  actions: read
+  pull-requests: write
+
 on:
EOF
@@ -2,2 +2,8 @@

permissions:
contents: write
packages: write
actions: read
pull-requests: write

on:
Copilot is powered by AI and may make mistakes. Always verify output.
needs: check-changes
if: needs.check-changes.outputs.should_release == 'true'
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Update version in pyproject.toml
run: |
NEW_VERSION="${{ needs.check-changes.outputs.new_version }}"
sed -i "s/^version = .*/version = \"$NEW_VERSION\"/" pyproject.toml

# Also update __init__.py if it exists
if [ -f "ttsfm/__init__.py" ]; then
sed -i "s/__version__ = .*/__version__ = \"$NEW_VERSION\"/" ttsfm/__init__.py
fi

- name: Commit version bump
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git add pyproject.toml ttsfm/__init__.py
git commit -m "bump: version ${{ needs.check-changes.outputs.new_version }}" || exit 0
git push

- name: Create and push tag
run: |
NEW_VERSION="${{ needs.check-changes.outputs.new_version }}"
git tag "v$NEW_VERSION"
git push origin "v$NEW_VERSION"

- name: Install build dependencies
run: |
python -m pip install --upgrade pip
pip install build twine

- name: Build package
run: |
python -m build

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}

- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
tag_name: v${{ needs.check-changes.outputs.new_version }}
name: TTSFM v${{ needs.check-changes.outputs.new_version }}
body: |
## TTSFM v${{ needs.check-changes.outputs.new_version }}

Automated release with latest changes.

### Installation
```bash
pip install ttsfm==${{ needs.check-changes.outputs.new_version }}
```

### What's Changed
See commit history for detailed changes.
draft: false
prerelease: false
Comment on lines +86 to +156

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root of the workflow to define the minimal permissions required for the GITHUB_TOKEN. Additionally, we will add job-specific permissions blocks for the check-changes and release jobs to further restrict access. The check-changes job only needs contents: read to check for changes, while the release job requires contents: write to commit changes and push tags, and packages: write to publish to PyPI.

Suggested changeset 1
.github/workflows/auto-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 on:
@@ -26,2 +29,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
@@ -88,2 +93,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

on:
@@ -26,2 +29,4 @@
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
@@ -88,2 +93,5 @@
runs-on: ubuntu-latest
permissions:
contents: write
packages: write

Copilot is powered by AI and may make mistakes. Always verify output.
121 changes: 121 additions & 0 deletions .github/workflows/manual-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
name: Manual Release

on:
workflow_dispatch:
inputs:
version:
description: 'Version to release (e.g., 3.0.1)'
required: true
type: string
Comment on lines +1 to +9
Copy link

@coderabbitai coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add explicit permissions block to restrict GITHUB_TOKEN scope.

Workflows should declare minimal permissions for the GITHUB_TOKEN to adhere to the principle of least privilege:

permissions:
  contents: read
  packages: write
🤖 Prompt for AI Agents 
In .github/workflows/manual-release.yml at the beginning of the file (lines 1 to
9), add an explicit permissions block to restrict the GITHUB_TOKEN scope. Insert
a permissions section with contents set to read and packages set to write to
ensure the workflow uses minimal required permissions following the principle of
least privilege.


jobs:
test:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .

- name: Run basic tests
run: |
python -c "import ttsfm; print(f'TTSFM imported successfully')"
python -c "from ttsfm import TTSClient; print('TTSClient imported successfully')"

build-and-release:
Comment on lines +13 to +33

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root of the workflow to define the least privileges required for all jobs. Additionally, we will add job-specific permissions blocks where elevated privileges are necessary. For example:

  1. The test job only requires contents: read to check out the repository and run tests.
  2. The build-and-release job requires additional permissions, such as contents: write for pushing changes, packages: write for publishing to PyPI, and pull-requests: write for creating pull requests (if applicable).

This ensures that each job has only the permissions it needs, reducing the risk of misuse.

Suggested changeset 1
.github/workflows/manual-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml
--- a/.github/workflows/manual-release.yml
+++ b/.github/workflows/manual-release.yml
@@ -10,2 +10,5 @@
 
+permissions:
+  contents: read
+
 jobs:
@@ -35,2 +38,6 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: write
 
EOF
@@ -10,2 +10,5 @@

permissions:
contents: read

jobs:
@@ -35,2 +38,6 @@
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
pull-requests: write

Copilot is powered by AI and may make mistakes. Always verify output.
needs: test
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Update version
run: |
VERSION="${{ github.event.inputs.version }}"
sed -i "s/^version = .*/version = \"$VERSION\"/" pyproject.toml

# Update __init__.py if it exists
if [ -f "ttsfm/__init__.py" ]; then
sed -i "s/__version__ = .*/__version__ = \"$VERSION\"/" ttsfm/__init__.py
fi

- name: Commit version update
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git add pyproject.toml ttsfm/__init__.py
git commit -m "bump: version ${{ github.event.inputs.version }}" || exit 0
git push

- name: Install build dependencies
run: |
python -m pip install --upgrade pip
pip install build twine

- name: Build package
run: |
python -m build

- name: Check package
run: |
twine check dist/*
ls -la dist/

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}

- name: Create and push tag
run: |
git tag "v${{ github.event.inputs.version }}"
git push origin "v${{ github.event.inputs.version }}"

- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
tag_name: v${{ github.event.inputs.version }}
name: TTSFM v${{ github.event.inputs.version }}
body: |
## TTSFM v${{ github.event.inputs.version }}

Manual release of TTSFM package.

### Installation
```bash
pip install ttsfm==${{ github.event.inputs.version }}
```

### Features
- Text-to-Speech API client with OpenAI compatibility
- Support for multiple voices and audio formats
- Async and sync interfaces
- Web interface for testing

### Documentation
See [GitHub repository](https://github.com/dbccccccc/ttsfm) for full documentation.
draft: false
prerelease: false

- name: Verify installation
run: |
echo "Waiting 30 seconds for PyPI to update..."
sleep 30

pip install ttsfm==${{ github.event.inputs.version }}
python -c "import ttsfm; print(f'✅ PyPI installation successful! Version: {ttsfm.__version__}')"
Comment on lines +34 to +121

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block to the workflow. This block will explicitly define the permissions required for each job. For the test job, only contents: read is needed, as it does not perform any write operations. For the build-and-release job, additional permissions such as contents: write and packages: write will be granted, as these are necessary for committing changes, pushing tags, and publishing to PyPI.

Suggested changeset 1
.github/workflows/manual-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml
--- a/.github/workflows/manual-release.yml
+++ b/.github/workflows/manual-release.yml
@@ -10,2 +10,5 @@
 
+permissions:
+  contents: read
+
 jobs:
@@ -35,2 +38,6 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: write
 
EOF
@@ -10,2 +10,5 @@

permissions:
contents: read

jobs:
@@ -35,2 +38,6 @@
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
pull-requests: write

Copilot is powered by AI and may make mistakes. Always verify output.
102 changes: 102 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
name: Release to PyPI

on:
push:
tags:
- 'v*' # Triggers on version tags like v1.0.0, v3.0.0, etc.

Comment on lines +1 to +7
Copy link

@coderabbitai coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add explicit permissions block to tighten GITHUB_TOKEN scope.

By default the workflow inherits broad write permissions. Define a minimal permissions block at the top to limit token scope:

permissions:
  contents: read
  packages: write   # for PyPI publishing
  id-token: write   # if you use OIDC
🤖 Prompt for AI Agents 
In .github/workflows/release.yml at the top of the file (lines 1 to 7), add an
explicit permissions block to restrict the GITHUB_TOKEN scope. Define minimal
permissions by adding a permissions section with contents set to read, packages
set to write for PyPI publishing, and id-token set to write if OIDC is used.
This will tighten security by limiting token access to only what is necessary.

jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8, 3.9, '3.10', '3.11', '3.12']

steps:
- uses: actions/checkout@v4

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .

- name: Test package import
run: |
python -c "import ttsfm; print(f'TTSFM imported successfully')"
python -c "from ttsfm import TTSClient; print('TTSClient imported successfully')"

Comment on lines +28 to +32
Copy link

@coderabbitai coderabbitai bot Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Expand the test job to run the full test suite.

Currently only import checks are executed. It’s best to invoke your test runner (e.g., pytest) to validate functionality before release.

🤖 Prompt for AI Agents 
In .github/workflows/release.yml around lines 28 to 32, the test job only runs
import checks for the package. To ensure full validation before release, modify
the test step to run the complete test suite using the appropriate test runner
like pytest. Replace or supplement the current import commands with a command to
execute all tests, ensuring the package functionality is fully verified.

build:
Comment on lines +10 to +33

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for each job. Based on the workflow's steps:

  1. The test and build jobs primarily interact with the repository contents, so they only need contents: read.
  2. The release job uploads artifacts to PyPI and creates a GitHub release, requiring contents: read and packages: write.

The permissions block can be added at the workflow level to apply to all jobs or at the job level for more granular control. In this case, job-specific permissions are preferable for clarity and adherence to the principle of least privilege.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,2 +10,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
@@ -35,2 +37,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
@@ -67,2 +71,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
EOF
@@ -10,2 +10,4 @@
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
@@ -35,2 +37,4 @@
runs-on: ubuntu-latest
permissions:
contents: read

@@ -67,2 +71,5 @@
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

Copilot is powered by AI and may make mistakes. Always verify output.
needs: test
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Install build dependencies
run: |
python -m pip install --upgrade pip
pip install build twine

- name: Build package
run: |
python -m build

- name: Check package
run: |
twine check dist/*
ls -la dist/

- name: Upload build artifacts
uses: actions/upload-artifact@v3
with:
name: dist
path: dist/

release:
Comment on lines +34 to +65

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root of the workflow to define minimal permissions for all jobs. Each job will then inherit these permissions unless overridden. Since the workflow involves testing, building, and releasing a Python package, the following permissions are required:

  • contents: read for accessing repository contents.
  • packages: write for publishing the package to PyPI.
  • actions: write for managing workflow artifacts.
  • pull-requests: write for creating GitHub releases.

We will add the permissions block at the top level of the workflow to ensure all jobs have the necessary permissions while adhering to the principle of least privilege.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,2 +7,8 @@
 
+permissions:
+  contents: read
+  packages: write
+  actions: write
+  pull-requests: write
+
 jobs:
EOF
@@ -7,2 +7,8 @@

permissions:
contents: read
packages: write
actions: write
pull-requests: write

jobs:
Copilot is powered by AI and may make mistakes. Always verify output.
needs: build
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Download build artifacts
uses: actions/download-artifact@v3
with:
name: dist
path: dist/

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}

- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
body: |
## TTSFM ${{ github.ref_name }}

Automated release of TTSFM package.

### Installation
```bash
pip install ttsfm
```

### Features
- Text-to-Speech API client with OpenAI compatibility
- Support for multiple voices and audio formats
- Async and sync interfaces
- Web interface for testing
draft: false
prerelease: false
Comment on lines +66 to +102

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block to the workflow to explicitly define the minimal permissions required for each job. For the release job, we will grant contents: read and packages: write permissions, as these are necessary for downloading artifacts and publishing to PyPI. Additionally, we will grant contents: write for creating a GitHub release. For the other jobs (test and build), we will grant only contents: read, as they do not require write permissions.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,2 +7,5 @@
 
+permissions:
+  contents: read
+
 jobs:
@@ -35,2 +38,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
@@ -67,2 +72,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
 
EOF
@@ -7,2 +7,5 @@

permissions:
contents: read

jobs:
@@ -35,2 +38,4 @@
runs-on: ubuntu-latest
permissions:
contents: read

@@ -67,2 +72,5 @@
runs-on: ubuntu-latest
permissions:
contents: write
packages: write

Copilot is powered by AI and may make mistakes. Always verify output.