chore(workflow): added release workflow

Author: poshinchen

.github/scripts/draft-release-notes.py

@@ -0,0 +1,173 @@
+"""Draft release notes for a Strands Agents package via Bedrock.
+
+The maintainer types the explicit version at workflow_dispatch time. This
+script's `bump` output is purely advisory — surfaced in the run summary so
+reviewers can sanity-check the typed version against what the commits suggest.
+The version is NOT derived from this script.
+
+Inputs (env):
+    PACKAGE         "python" or "typescript"
+    PREV_TAG        previous release tag (e.g. "python/v1.2.3")
+    NEW_REF         git ref or SHA being released (typically a pinned SHA)
+    BEDROCK_MODEL   inference profile / model id (defaults to a Claude Sonnet on Bedrock)
+    AWS_REGION      defaults to us-west-2 (matches strands-command.yml)
+
+Outputs (files in $GITHUB_WORKSPACE):
+    release-notes.md    markdown release notes
+    bump.txt            advisory bump: one of "major", "minor", "patch"
+
+Exit codes:
+    0   notes drafted successfully
+    1   no commits between PREV_TAG and NEW_REF
+    2   Bedrock call failed or returned unparseable output
+        (the caller workflow falls back to `git shortlog` on non-zero exit)
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import boto3
+from botocore.exceptions import BotoCoreError, ClientError
+
+
+WORKSPACE = Path(os.environ.get("GITHUB_WORKSPACE", "."))
+NOTES_PATH = WORKSPACE / "release-notes.md"
+BUMP_PATH = WORKSPACE / "bump.txt"
+
+
+def run(cmd: list[str]) -> str:
+    result = subprocess.run(cmd, capture_output=True, text=True, check=True)
+    return result.stdout
+
+
+def collect_commits(prev_tag: str, new_ref: str) -> str:
+    """Return the git log between prev_tag and new_ref, one commit per block."""
+    return run(
+        [
+            "git",
+            "log",
+            f"{prev_tag}..{new_ref}",
+            "--pretty=format:--- COMMIT ---%n%H%n%an%n%s%n%b",
+            "--no-merges",
+        ]
+    )
+
+
+def collect_diff_stats(prev_tag: str, new_ref: str) -> str:
+    """Return per-file change stats so the model can reason about scope."""
+    return run(["git", "diff", "--stat", f"{prev_tag}...{new_ref}"])
+
+
+def build_prompt(
+    package: str,
+    prev_tag: str,
+    new_ref: str,
+    commits: str,
+    diff_stats: str,
+) -> str:
+    return f"""You are drafting release notes for the {package} package of the Strands Agents SDK.
+
+Previous tag: `{prev_tag}`
+New ref: `{new_ref}`
+
+## Your task
+
+1. Suggest a semver bump (major / minor / patch) from the commits using
+   Conventional Commits as a guide: `feat:` -> minor, `fix:` / `refactor:` /
+   `perf:` / `docs:` -> patch, anything with `BREAKING CHANGE:` in the body or
+   `!:` in the subject -> major. If the commits show API changes that aren't
+   flagged with `!`, still call it major and say why. This suggestion is
+   ADVISORY — the maintainer types the actual version separately.
+
+2. Draft user-facing release notes in markdown, grouped under these headings
+   (omit headings with no entries):
+   - **Breaking changes**
+   - **Features**
+   - **Bug fixes**
+   - **Other changes** (docs, refactors, internal)
+
+3. Each bullet should be one line, written for users, referencing the commit
+   hash in parens.
+
+## Output format
+
+Return a single JSON object with exactly two keys:
+- `bump`: one of "major", "minor", "patch"
+- `notes`: the markdown release notes as a single string
+
+Do not wrap the JSON in markdown fences or any prose. The first character of
+your response must be `{{` and the last must be `}}`.
+
+## Commits since last release
+
+```
+{commits}
+```
+
+## Diff stats
+
+```
+{diff_stats}
+```
+"""
+
+
+def call_bedrock(prompt: str, model_id: str, region: str) -> dict:
+    client = boto3.client("bedrock-runtime", region_name=region)
+    response = client.converse(
+        modelId=model_id,
+        messages=[{"role": "user", "content": [{"text": prompt}]}],
+        inferenceConfig={"maxTokens": 4096, "temperature": 0.2},
+    )
+    text = response["output"]["message"]["content"][0]["text"].strip()
+    return json.loads(text)
+
+
+def main() -> int:
+    package = os.environ["PACKAGE"]
+    prev_tag = os.environ["PREV_TAG"]
+    new_ref = os.environ["NEW_REF"]
+    model_id = os.environ.get(
+        "BEDROCK_MODEL", "us.anthropic.claude-sonnet-4-5-20250929-v1:0"
+    )
+    region = os.environ.get("AWS_REGION", "us-west-2")
+
+    commits = collect_commits(prev_tag, new_ref)
+    if not commits.strip():
+        print(f"No commits between {prev_tag} and {new_ref} — nothing to release.")
+        return 1
+
+    diff_stats = collect_diff_stats(prev_tag, new_ref)
+    prompt = build_prompt(package, prev_tag, new_ref, commits, diff_stats)
+
+    try:
+        result = call_bedrock(prompt, model_id, region)
+    except (BotoCoreError, ClientError) as exc:
+        # Network / IAM / throttling. Caller workflow handles fallback.
+        print(f"Bedrock call failed: {exc}", file=sys.stderr)
+        return 2
+    except json.JSONDecodeError as exc:
+        # Model returned non-JSON. Surface it for the reviewer.
+        print(f"Could not parse Bedrock response as JSON: {exc}", file=sys.stderr)
+        return 2
+
+    bump = result.get("bump", "unknown")
+    notes = result.get("notes", "").strip()
+    if not notes:
+        print("Bedrock response had no `notes` content.", file=sys.stderr)
+        return 2
+
+    NOTES_PATH.write_text(notes)
+    BUMP_PATH.write_text(bump)
+    print(f"Wrote {NOTES_PATH} ({len(notes)} chars)")
+    print(f"Wrote {BUMP_PATH} -> {bump} (advisory)")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/workflows/python-integration-test.yml

@@ -8,10 +8,74 @@ on:
       - '.github/workflows/python-*'
   merge_group:
     types: [checks_requested]
+  # === workflow_call entry point — TRUST INVARIANT ===
+  #
+  # This trigger lets another workflow in THIS repo reuse the integ tests
+  # against an arbitrary `ref` while keeping access to AWS_*. The
+  # authorization-check below is skipped on this path because the only caller
+  # today (release.yml) is `workflow_dispatch`-gated, which requires repo
+  # write access to invoke.
+  #
+  # Before adding a new caller, verify ALL of the following:
+  #   1. The caller cannot be triggered by an unauthenticated user or a fork
+  #      (so: NOT pull_request, NOT pull_request_target without an auth gate,
+  #      NOT push from any branch except main).
+  #   2. The caller cannot be coerced into passing a fork-PR ref
+  #      (refs/pull/.../merge) — see `validate-call-ref` job below for the
+  #      runtime guard, but the caller should not need to be coerced if (1)
+  #      holds.
+  #   3. AWS_ROLE / STRANDS_INTEG_TEST_ROLE secrets are scoped to least
+  #      privilege.
+  #
+  # Skipping these checks effectively gives the new caller's trigger surface
+  # the same trust as a maintainer-typed `Run workflow` click.
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 jobs:
+  validate-call-ref:
+    name: Validate workflow_call ref
+    if: inputs.ref != ''
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    # Defense in depth for the workflow_call entry point. `inputs.ref` is
+    # supplied by the caller; rejecting fork-PR-shaped refs here means a
+    # future caller cannot accidentally check out untrusted code with secrets
+    # loaded. Branches and SHAs pass; `refs/pull/*/merge` and cross-repo refs
+    # (`owner:branch`) fail.
+    steps:
+      - name: Reject untrusted-shaped refs
+        env:
+          REF: ${{ inputs.ref }}
+          IS_FORK: ${{ github.event.repository.fork }}
+        run: |
+          set -euo pipefail
+          if [ "$IS_FORK" = "true" ]; then
+            echo "::error::workflow_call invoked on a fork — refusing to run with secrets."
+            exit 1
+          fi
+          case "$REF" in
+            refs/pull/*|*:*)
+              echo "::error::workflow_call ref '$REF' looks like a fork PR or cross-repo ref."
+              exit 1
+              ;;
+          esac
+          echo "ref '$REF' passed shape check."
+
   authorization-check:
     name: Check access
+    needs: [validate-call-ref]
+    # `needs` only runs after non-skipped predecessors. validate-call-ref is
+    # skipped on pull_request_target / merge_group (inputs.ref is empty), so
+    # we use `if: always()` to ensure auth-check still runs there. On
+    # workflow_call, validate-call-ref must have succeeded.
+    if: |
+      always() &&
+      (needs.validate-call-ref.result == 'success' || needs.validate-call-ref.result == 'skipped')
     permissions:
       contents: read
     runs-on: ubuntu-latest
@@ -22,7 +86,10 @@ jobs:
         id: auth
         uses: strands-agents/devtools/authorization-check@main
         with:
-          skip-check: ${{ github.event_name == 'merge_group' }}
+          # Skip on merge_group (gated by branch protection) and on
+          # workflow_call (the caller — release.yml — is workflow_dispatch
+          # gated, see the trigger comment above).
+          skip-check: ${{ github.event_name == 'merge_group' || github.event_name == 'workflow_call' }}
           username: ${{ github.event.pull_request.user.login || 'invalid' }}
           allowed-roles: 'maintain,triage,write,admin'
 
@@ -50,7 +117,7 @@ jobs:
       - name: Checkout head commit
         uses: actions/checkout@v7
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
           persist-credentials: false
           allow-unsafe-pr-checkout: true  # opt back into fork-PR checkout, blocked by default in checkout@v7
       - name: Set up Python

.github/workflows/python-security-audit.yml

@@ -0,0 +1,51 @@
+name: "Python: Security Audit"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  security-audit:
+    name: pip-audit
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: strands-py
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v7
+        with:
+          ref: ${{ inputs.ref }}
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+
+      - name: Install pip-audit
+        run: pip install --no-cache-dir pip-audit
+
+      # Mirror of typescript-security-audit.yml: informational, does not block
+      # the release. PR-introduced vulns are gated by the repo-level Dependency
+      # Review job in ci.yml; pre-existing advisories are driven down via
+      # Dependabot. The release reviewer can read the report below before
+      # approving.
+      - name: Audit installed dependency closure (informational)
+        continue-on-error: true
+        run: |
+          set -euo pipefail
+          # Resolve the package's full dependency closure into a temporary
+          # venv, then audit it. Auditing the project metadata directly skips
+          # transitive deps; this mirrors what an end user actually installs.
+          python -m venv /tmp/audit-env
+          /tmp/audit-env/bin/pip install --upgrade pip
+          /tmp/audit-env/bin/pip install .
+          /tmp/audit-env/bin/pip-audit

.github/workflows/python-test-package-build.yml

@@ -0,0 +1,72 @@
+# End-to-end wheel install smoke test.
+#
+# Mirror of typescript-test-package-pack.yml. The Python-side equivalent of
+# the TS hoisting bug would be: a wheel that imports a module from src/ but
+# misconfigures `[tool.hatch.build.targets.wheel].packages`, so `hatch test`
+# (which runs against editable source) passes while `pip install dist/*.whl`
+# from a fresh venv crashes at import time.
+#
+# This workflow reproduces a real user's install: build the wheel with
+# `python -m build`, install it in a venv OUTSIDE the monorepo tree (no
+# editable install, no fallback to source), then import the public surface.
+name: "Python: Test Package Build"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  test-package-build:
+    name: Wheel install
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v7
+        with:
+          ref: ${{ inputs.ref }}
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+
+      - name: Install build tooling
+        run: pip install --no-cache-dir build
+
+      - name: Build wheel + sdist
+        working-directory: strands-py
+        run: python -m build
+
+      - name: Install wheel in a clean venv outside the repo and import
+        # The venv MUST live outside the monorepo — otherwise pip can fall
+        # back to the in-tree source if the wheel is incomplete, masking the
+        # bug we are trying to catch.
+        run: |
+          set -euo pipefail
+          WORK=$(mktemp -d)
+          trap 'rm -rf "$WORK"' EXIT
+          echo "Workspace: $WORK"
+
+          WHEEL=$(find "$GITHUB_WORKSPACE/strands-py/dist" -maxdepth 1 -name '*.whl' -print -quit)
+          if [ -z "$WHEEL" ]; then
+            echo "::error::no wheel produced under strands-py/dist"
+            exit 1
+          fi
+          echo "Wheel: $WHEEL"
+
+          python -m venv "$WORK/venv"
+          "$WORK/venv/bin/pip" install --upgrade pip
+          "$WORK/venv/bin/pip" install "$WHEEL"
+
+          # Import from a directory that does NOT contain the source tree, so
+          # the only resolvable `strands` package is the one from the wheel.
+          cd "$WORK"
+          "$WORK/venv/bin/python" -c "import strands; print('strands version:', getattr(strands, '__version__', 'unknown'))"