ci: publish package on merge to dev/main with separate dev and stable packages

Replace the tag-only publish trigger (no v* tags ever existed, so the package was never built) with branch-push publishing: - dev push -> aegis-gitea-mcp-dev at X.Y.Z.dev<run_number> (always unique) - main push -> aegis-gitea-mcp at X.Y.Z, a clean no-op via uv --check-url if that version is already in the registry Name + version are patched into pyproject.toml at build time only; the committed file keeps aegis-gitea-mcp / X.Y.Z. Lint + test gates still run before publish, and the REGISTRY_TOKEN secret is required (fail-closed).
2026-06-27 15:59:30 +02:00
parent 2bb74807bc
commit e5dfba208e
1 changed files with 48 additions and 11 deletions
@@ -1,14 +1,15 @@
 name: publish

 # Build the Python package with uv and publish it to the self-hosted Gitea PyPI
-# registry on a version tag. Gated on lint + tests so a release can never ship
-# red. Publishing reuses the existing REGISTRY_TOKEN package secret (the same one
-# docker.yml uses to push images); if it is absent the job fails loudly instead
-# of publishing anonymously.
+# registry on merge. dev -> a dev package (aegis-gitea-mcp-dev, .devN versions);
+# main -> the stable package (aegis-gitea-mcp). Gated on lint + tests so a release
+# can never ship red. Reuses the REGISTRY_TOKEN package secret (same one docker.yml
+# uses); if it is absent the job fails loudly instead of publishing anonymously.
 on:
  push:
-    tags:
-      - 'v*'
+    branches:
+      - dev
+      - main

 jobs:
  # ---------------------------------------------------------------------------
@@ -55,6 +56,13 @@ jobs:

  # ---------------------------------------------------------------------------
  # 3. Build with uv and publish to the Gitea PyPI registry.
+  #
+  #    dev  -> aegis-gitea-mcp-dev  X.Y.Z.dev<run_number>  (always unique)
+  #    main -> aegis-gitea-mcp      X.Y.Z                  (no-op if already there)
+  #
+  #    The package name + version are patched into pyproject.toml at build time
+  #    only — never committed. The committed file keeps name "aegis-gitea-mcp"
+  #    and version "X.Y.Z".
  # ---------------------------------------------------------------------------
  publish:
    needs: [lint, test]
@@ -77,11 +85,37 @@ jobs:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          if [ -z "${REGISTRY_TOKEN}" ]; then
-            echo "::error::REGISTRY_TOKEN secret is not set." >&2
-            echo "Configure a PAT with write:package as the REGISTRY_TOKEN Actions secret." >&2
+            echo "::error::REGISTRY_TOKEN secret is not set. Configure a PAT with write:package." >&2
            exit 1
          fi

+      - name: Compute channel (package name + version)
+        id: chan
+        shell: bash
+        run: |
+          BASE="$(grep -E '^version = ' pyproject.toml | head -1 | sed -E 's/^version = "([^"]+)".*/\1/')"
+          if [ "${GITHUB_REF_NAME}" = "main" ]; then
+            PKG_NAME="aegis-gitea-mcp"
+            PKG_VERSION="${BASE}"
+            CHANNEL="stable"
+          else
+            PKG_NAME="aegis-gitea-mcp-dev"
+            PKG_VERSION="${BASE}.dev${GITHUB_RUN_NUMBER}"
+            CHANNEL="dev"
+          fi
+          echo "pkg_name=${PKG_NAME}"       >> "$GITHUB_OUTPUT"
+          echo "pkg_version=${PKG_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "channel=${CHANNEL}"         >> "$GITHUB_OUTPUT"
+          echo "Publishing ${PKG_NAME} ${PKG_VERSION} (${CHANNEL})"
+
+      - name: Patch package name + version (build only, not committed)
+        shell: bash
+        run: |
+          sed -i -E "s/^name = \".*\"/name = \"${{ steps.chan.outputs.pkg_name }}\"/" pyproject.toml
+          sed -i -E "s/^version = \".*\"/version = \"${{ steps.chan.outputs.pkg_version }}\"/" pyproject.toml
+          echo "--- patched [project] header ---"
+          grep -E '^(name|version) = ' pyproject.toml
+
      - name: Build sdist + wheel
        shell: bash
        run: uv build
@@ -93,7 +127,7 @@ jobs:
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
-          name: dist
+          name: dist-${{ steps.chan.outputs.channel }}
          path: dist/*

      - name: Publish to Gitea PyPI registry
@@ -104,8 +138,11 @@ jobs:
          # username and the token is the password.
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
+          # --check-url makes uv skip files already in the registry, so a main
+          # push that did not bump the version is a clean no-op instead of a 409.
          uv publish \
            --publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \
+            --check-url   https://git.hiddenden.cafe/api/packages/Hiddenden/pypi/simple/ \
            --username    "${GITHUB_ACTOR}" \
            --password    "${REGISTRY_TOKEN}"