Summary
2.0.3 was tagged and a GitHub Release created (#1405), but no PyPI packages were published and the AWS deploy never ran — the bot-authored release didn't trigger the publish/deploy workflows.
Update: 2.0.3 has since been published manually (all five sub-packages — titiler-core, -xarray, -mosaic, -application, -extensions — are now at 2.0.3 on PyPI). What remains is the forward fix so this doesn't recur.
Root cause (verified)
release.yml and deploy.yml both run only on release: published. The 2.0.3 release was created by github-actions[bot] (release-please using the default GITHUB_TOKEN). GitHub deliberately does not trigger new workflow runs from events caused by the default GITHUB_TOKEN (anti-recursion rule), so:
- Push run
26599062069 ran Release Please fine, but Build dist / Upload release to PyPI were skipped (if: github.event_name == 'release').
- No
release-event run ever fired → no publish, no deploy.
Why 2.0.2 worked: its release was published by a human (@vincentsarago), so release: published did fire. 2.0.3 was fully bot-driven, so nothing cascaded.
Fix: GitHub App token
Give release-please-action a token from a GitHub App instead of GITHUB_TOKEN. Releases the App creates do trigger release: published, so the existing build/upload_pypi jobs and deploy.yml run automatically — one token change, both workflows fixed, no logic rewrite.
We reuse the existing org release App (secrets DS_RELEASE_BOT_ID / DS_RELEASE_BOT_PRIVATE_KEY) — no new App or secrets to provision. The minted token is scoped to least privilege (Contents + Pull requests, R/W).
Alternative considered (rejected): release-please's outputs pattern (gate jobs on release_created, no token needed) — rejected because it forces a rewrite of both release.yml and deploy.yml (the latter into a reusable workflow_call) and breaks publishing via human-republished releases.
Action items
Acceptance
The next release is authored by the App (not github-actions[bot]) and publishes to PyPI + deploys automatically, with no manual step.
Summary
2.0.3 was tagged and a GitHub Release created (#1405), but no PyPI packages were published and the AWS deploy never ran — the bot-authored release didn't trigger the publish/deploy workflows.
Root cause (verified)
release.ymlanddeploy.ymlboth run only onrelease: published. The 2.0.3 release was created bygithub-actions[bot](release-please using the defaultGITHUB_TOKEN). GitHub deliberately does not trigger new workflow runs from events caused by the defaultGITHUB_TOKEN(anti-recursion rule), so:26599062069ranRelease Pleasefine, butBuild dist/Upload release to PyPIwere skipped (if: github.event_name == 'release').release-event run ever fired → no publish, no deploy.Why 2.0.2 worked: its release was published by a human (@vincentsarago), so
release: publisheddid fire. 2.0.3 was fully bot-driven, so nothing cascaded.Fix: GitHub App token
Give
release-please-actiona token from a GitHub App instead ofGITHUB_TOKEN. Releases the App creates do triggerrelease: published, so the existingbuild/upload_pypijobs anddeploy.ymlrun automatically — one token change, both workflows fixed, no logic rewrite.We reuse the existing org release App (secrets
DS_RELEASE_BOT_ID/DS_RELEASE_BOT_PRIVATE_KEY) — no new App or secrets to provision. The minted token is scoped to least privilege (Contents + Pull requests, R/W).Action items
release.ymlmints the App token viaactions/create-github-app-token(SHA-pinned) usingDS_RELEASE_BOT_*;RELEASING.mdupdated.DS_RELEASE_BOTApp is installed ondevelopmentseed/titilerwith Contents: R/W + Pull requests: R/W, and the secrets are visible to this repo.Acceptance
The next release is authored by the App (not
github-actions[bot]) and publishes to PyPI + deploys automatically, with no manual step.