[python] PR-13: Add Nightly PyPI Publish Workflow #85
Conversation
meta-cla
bot
added
the
CLA Signed
Add GitHub Actions workflow for automated nightly PyPI publishing. Features: - Daily scheduled builds at 07:18 UTC - On-demand publishing via git tags (v* or *.*.*) - Trusted Publishing (OIDC) for secure PyPI uploads - Smart commit detection: only publish when python/ changes - Downloads check_new_commits.sh from tritonparse repo The workflow uses tritonparse's check_new_commits.sh script with PACKAGE_PATH=python/ to filter commits to the Python package only.
FindHao
force-pushed
the
findhao/python-validation-pr13-nightly-pypi
branch
from
abd2e44 to
576d624
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds automated nightly PyPI publishing for the CUTracer Python package using GitHub Actions. The workflow enables scheduled nightly builds, tag-based releases, and uses OIDC-based trusted publishing for secure uploads.
Key Changes
- Implements scheduled nightly publishing at 07:18 UTC daily
- Configures tag-based releases triggered by version tags (v* or ..*)
- Uses external script from tritonparse repository for commit detection
- Implements dynamic version generation for nightly builds based on next patch version plus timestamp
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| PACKAGE_NAME: cutracer | ||
| PACKAGE_PATH: python/ | ||
| run: | |
There was a problem hiding this comment.
The step name and comment don't clarify what output variable this step produces (should_publish). Consider adding a comment that documents the expected output variable and its possible values ('true' or 'false') to improve maintainability and make the workflow logic clearer.
| run: | | |
| run: | | |
| # This script sets the `should_publish` step output to either 'true' or 'false'. |
.github/workflows/nightly-pypi.yml
Outdated
| IFS='.' read -r MAJ MIN PAT <<EOF | ||
| $BASE | ||
| EOF |
There was a problem hiding this comment.
Using a here-document for IFS read is unnecessarily complex. Consider simplifying this to use parameter expansion directly: IFS='.' read -r MAJ MIN PAT <<< "$BASE" which is more concise and doesn't require the EOF markers.
| IFS='.' read -r MAJ MIN PAT <<EOF | |
| $BASE | |
| EOF | |
| IFS='.' read -r MAJ MIN PAT <<< "$BASE" |
| echo "::error title=No git tag found::Repository has no tags. Add a semver tag like v0.1.0" | ||
| exit 1 | ||
| fi | ||
| BASE=${TAG#v} |
There was a problem hiding this comment.
The regex pattern doesn't properly handle tags with only one or two version components. If a tag is "v1.2" without a patch version, the capture group will only match "1.2" and the subsequent IFS read expecting three components (MAJ MIN PAT) will fail or produce incorrect results. Consider adding validation to ensure the tag matches the expected X.Y.Z format, or handle cases where fewer components are present.
| BASE=${TAG#v} | |
| BASE=${TAG#v} | |
| # Require a semantic version X.Y.Z (optionally with a suffix) before proceeding | |
| if ! printf "%s\n" "$BASE" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+'; then | |
| echo "::error title=Invalid git tag::Latest tag '$TAG' is not a semantic version like v0.1.0" | |
| exit 1 | |
| fi |
| - name: Build sdist/wheel | ||
| if: github.ref_type == 'tag' || steps.check.outputs.should_publish != 'false' | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install build setuptools-scm | ||
| if [ "${{ github.ref_type }}" != "tag" ]; then | ||
| export SETUPTOOLS_SCM_PRETEND_VERSION=${{ steps.ver.outputs.NVER }} | ||
| fi | ||
| cd python | ||
| python -m build | ||
|
|
There was a problem hiding this comment.
The shell comparison uses double quotes around the GitHub expression which can be fragile. Consider using the native GitHub Actions expression syntax in the if condition instead: if: github.ref_type != 'tag'. This would be more maintainable and less error-prone than embedding the comparison in a shell script.
| - name: Build sdist/wheel | |
| if: github.ref_type == 'tag' || steps.check.outputs.should_publish != 'false' | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install build setuptools-scm | |
| if [ "${{ github.ref_type }}" != "tag" ]; then | |
| export SETUPTOOLS_SCM_PRETEND_VERSION=${{ steps.ver.outputs.NVER }} | |
| fi | |
| cd python | |
| python -m build | |
| - name: Build sdist/wheel (nightly) | |
| if: github.ref_type != 'tag' && steps.check.outputs.should_publish != 'false' | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install build setuptools-scm | |
| export SETUPTOOLS_SCM_PRETEND_VERSION=${{ steps.ver.outputs.NVER }} | |
| cd python | |
| python -m build | |
| - name: Build sdist/wheel (tag) | |
| if: github.ref_type == 'tag' | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install build setuptools-scm | |
| cd python | |
| python -m build |
| PACKAGE_NAME: cutracer | ||
| PACKAGE_PATH: python/ | ||
| run: | | ||
| curl -fsSL https://github.com/meta-pytorch/tritonparse/raw/refs/heads/main/.github/scripts/check_new_commits.sh | bash |
There was a problem hiding this comment.
Downloading and executing an external script from the main branch without integrity verification poses a security risk. If the tritonparse repository is compromised or the script is modified maliciously, this workflow will automatically execute that code. Consider either: (1) pinning to a specific commit hash instead of 'main', (2) adding checksum verification, or (3) vendoring the script locally with a note about its origin.
| curl -fsSL https://github.com/meta-pytorch/tritonparse/raw/refs/heads/main/.github/scripts/check_new_commits.sh | bash | |
| # Pin to a specific, reviewed commit of meta-pytorch/tritonparse to avoid executing mutable code from "main". | |
| # Update <COMMIT_SHA> intentionally when upgrading the script. | |
| curl -fsSL https://raw.githubusercontent.com/meta-pytorch/tritonparse/<COMMIT_SHA>/.github/scripts/check_new_commits.sh | bash |
|
|
||
| - name: Publish to PyPI (Trusted Publishing) | ||
| if: (github.event_name == 'schedule' || github.ref_type == 'tag') && steps.check.outputs.should_publish != 'false' | ||
| uses: pypa/gh-action-pypi-publish@release/v1 |
There was a problem hiding this comment.
The PyPI publish action is using a floating version tag 'release/v1' which could introduce breaking changes without notice. Consider pinning to a specific version hash or full version tag (e.g., 'v1.8.14' with its commit SHA) for better reproducibility and stability.
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| uses: pypa/gh-action-pypi-publish@v1.10.3 |
- Add comments documenting should_publish output variable - Simplify here-document to here-string syntax - Add semantic version format validation (X.Y.Z)
Summary
Add GitHub Actions workflow for automated nightly PyPI publishing of the cutracer Python package.
Changes
New Files
.github/workflows/nightly-pypi.yml(82 lines)Features
v*or*.*.*tagspython/directorycheck_new_commits.shfrom tritonparse repo instead of maintaining local copyKey Design Decisions
Using tritonparse's check_new_commits.sh
Instead of maintaining a local copy of the commit check script, this workflow downloads it directly from tritonparse:
Benefits:
Subdirectory Support
CUTracer's Python package is in
python/subdirectory, so:cd pythonbeforepython -m buildpackages-dir: python/dist/for PyPI publish actionPACKAGE_PATH: python/to filter commitsTest Plan
workflow_dispatchfor testing (won't publish)Dependencies