[pull] main from genkit-ai:main#23
Open
pull[bot] wants to merge 3477 commits into
Open
Conversation
This PR updates the `package.json` names for several JS test apps to resolve duplicate project name issues. ## Changes - Renamed failing test apps to have unique package names: - `js/testapps/ollama`: `basic-gemini` -> `basic-ollama` - `js/testapps/rag`: `rag` -> `rag-testapp` - `js/testapps/vertexai-vector-search-bigquery`: `vertex-vector-search` -> `vertex-vector-search-bigquery` - `js/testapps/vertexai-vector-search-custom`: `vertex-vector-search` -> `vertex-vector-search-custom` - `js/testapps/vertexai-vector-search-firestore`: `vertex-vector-search` -> `vertex-vector-search-firestore` Found these when running workspace release graph discovery.
Co-authored-by: Mengqin Shen <mengqin@google.com>
…ixed failing tests (#4530)
Updates README, ANNOUNCEMENT, roadmap, architecture docs, and module map to reflect the checks/ subpackage (33 checks, 17 fixers).
…fixers (#4643) Refactors checks.py into checks/ subpackage with 33 checks (8 universal + 25 Python-specific) and 17 auto-fixers. Includes CLI enhancements, new tests, and sample release workflow.
Co-authored-by: Mengqin Shen <mengqin@google.com>
Add several features to releasekit in preparation for the Genkit Python release: Distro packaging dependency sync: - New distro.py module that parses pyproject.toml dependencies and generates Debian/Ubuntu control and Fedora/RHEL `.spec` dependency lists automatically. Default branch detection: - Add default_branch() to VCS protocol. - Git backend auto-detects via `symbolic-ref`, probes common branch names, falls back to "main". - Mercurial backend returns "default" (hg convention). - New `branch.py` with `resolve_default_branch()` helper: config override takes precedence, then VCS auto-detect. - `prepare.py` uses resolver instead of hardcoded "main" for PR base. Versioning improvements: - R04: Revert commit handling — reverted bumps cancel out. - R27: `--ignore-unknown-tags` flag for all subcommands. - R32: Parallel vcs.log() via `asyncio.gather` in `compute_bumps`. - `--no-merges` support in VCS protocol and Git/Mercurial backends to exclude accidental merge commits from bump computation and changelogs. Docs: - Update roadmap-execution-plan.md to reflect completed items. Tests: - Update all FakeVCS implementations for `no_merges` and default_branch protocol compliance.
## Migrate Python release pipeline to releasekit
This PR replaces the manual per-package matrix publish workflow with a fully
automated release pipeline powered by `releasekit`. Two workflow files are
updated:
| File | Role |
|------|------|
| `releasekit-uv.yml` | **Automated** — runs on push/PR-merge/manual dispatch |
| `publish_python.yml` | **Manual** — one-click publish with group/scope selection |
---
### Pipeline Architecture
```
releasekit-uv.yml (automated)
══════════════════════════════
push to main (py/packages/** or py/plugins/**)
|
v
+------------------------------------------------------------+
| PREPARE |
| - Skips release commits (chore(release): / releasekit) |
| - Computes version bumps from Conventional Commits |
| - Generates per-package CHANGELOG.md |
| - Opens/updates a Release PR with embedded manifest |
| - Label: "autorelease: pending" |
+----------------------------+-------------------------------+
|
maintainer merges PR
|
v
+------------------------------------------------------------+
| RELEASE |
| - Detects merged PR with "autorelease: pending" label |
| - Extracts manifest from PR body |
| - Creates per-package git tags |
| - Creates GitHub Release with changelog |
+----------------------------+-------------------------------+
|
v
+------------------------------------------------------------+
| PUBLISH |
| - Installs full workspace (uv sync) |
| - Publishes packages in topological dependency order |
| - Ephemeral version pinning (workspace -> PyPI versions) |
| - Retries transient failures (--max-retries 2) |
| - Verifies checksums against registry (--check-url) |
| - Trusted publishing via OIDC (id-token: write) |
| - Uploads release-manifest.json artifact |
+----------------------------+-------------------------------+
|
v
+------------------------------------------------------------+
| NOTIFY |
| - Fires repository_dispatch: genkit-python-release |
| - Downstream repos can auto-update dependencies |
+------------------------------------------------------------+
```
```
publish_python.yml (manual dispatch)
=====================================
workflow_dispatch
+-------------------------------------------------+
| Inputs: |
| scope: all | group |
| group: core | google_plugins | |
| community_plugins |
| target: pypi | testpypi |
| dry_run / force |
+------------------------+------------------------+
|
v
+------------------------------------------------------+
| PUBLISH |
| - Single releasekit invocation (no matrix) |
| - --group flag filters to named release group |
| - --check-url / --index-url for testpypi |
| - --max-retries 2 for transient failures |
+------------------------+-----------------------------+
|
v
+------------------------------------------------------+
| VERIFY |
| - Waits 60s for PyPI CDN propagation |
| - pip install genkit==$VERSION |
| - Loops over py/plugins/*/pyproject.toml |
| - Reads each plugin's own version (not core's) |
| - Reports per-plugin install status |
+------------------------+-----------------------------+
|
v
+------------------------------------------------------+
| SUMMARY |
| - Writes GITHUB_STEP_SUMMARY with results |
+------------------------------------------------------+
```
---
### Publish ordering (topological)
releasekit resolves the intra-workspace dependency graph and publishes in
level order. For the Python workspace this looks like:
```
Level 0 (no deps) Level 1 (depends on core)
----------------- -------------------------
genkit -------> genkit-plugin-firebase
genkit-plugin-google-genai
genkit-plugin-vertex-ai
genkit-plugin-ollama
genkit-plugin-anthropic
... (all plugins)
```
Packages within the same level publish concurrently (default concurrency: 5).
---
### Key changes
#### `releasekit-uv.yml` (new automated pipeline)
- **Trigger narrowed**: `py/packages/**` and `py/plugins/**` only (was `py/**`)
- **`--workspace py`** on every `releasekit` command -- explicit workspace
selection for the polyglot monorepo
- **Prepare job**: skips release commits to avoid infinite loops; outputs
`has_bumps` and `pr_url`
- **Release job**: runs on merged PRs with `autorelease: pending` label OR
manual `workflow_dispatch`
- **Publish job**: array-based command construction prevents shell injection;
`--max-retries 2`, `--check-url`, `--index-url`, `--force`
- **Notify job**: `if: success()` guard prevents firing on failed publishes
- **Concurrency**: `releasekit-${{ github.ref }}` -- one pipeline per ref
- **Dry-run logic**: PR merges are always live; manual dispatch defaults to
dry-run; push events only run prepare
#### `publish_python.yml` (manual workflow)
- **Single `releasekit publish` invocation** replaces per-package matrix build
- **`--workspace py`** added to the publish command
- **Verify job fix**: reads each plugin's own `pyproject.toml` version instead
of assuming all plugins share the core version
- **Group support**: `--group` flag filters to `core`, `google_plugins`, or
`community_plugins` as defined in `releasekit.toml`
#### `releasekit.toml` (repo root)
- Defines `[workspace.py]` with package groups, tag format, exclusions
- Groups: `core`, `google_plugins`, `community_plugins`, `samples`,
`internal_tools`, `unreleased_plugins`
- `exclude_publish`: samples, unreleased plugins, and internal tools are
discovered and version-bumped but never published
---
### Safety features
```
+-----------------------------------------------------------+
| Safety Layers |
+-----------------------------------------------------------+
| Idempotent Already-published versions are skipped |
| Crash-safe Ephemeral pins restored on failure |
| Concurrency One pipeline per ref (no races) |
| Dry-run Default for manual dispatch |
| Retry --max-retries 2 with exp. backoff |
| Checksum --check-url verifies against registry |
| OIDC Trusted publishing (no stored tokens) |
| Array commands Shell injection prevention |
+-----------------------------------------------------------+
```
---
### What is NOT changed
- **No JS workflow changes** -- JS workspaces remain on existing release scripts
- **No version bumps** -- this PR only changes workflow plumbing
- **No new dependencies** -- releasekit is already in `py/tools/releasekit`
---
### Testing
- [x] `pytest` -- 1293 tests pass, 83.2% coverage (above 80% threshold)
- [x] `--workspace py` flag resolves correctly against `releasekit.toml`
- [x] All CLI flags used in workflows (`--group`, `--check-url`, `--index-url`,
`--max-retries`, `--dry-run`, `--force`) are implemented and tested
- [x] Cross-checked `releasekit.toml` groups against filesystem directories
- [x] Package imports successfully (`import releasekit` -> OK)
Co-authored-by: Mengqin Shen <mengqin@google.com>
#4655) fix(ci): use working-directory and RELEASEKIT_DIR for consistent paths The uv workflow was using `cd` followed by relative paths for `--directory`, which was fragile and inconsistent with GitHub Actions best practices. - Replace all `cd` + `uv sync` patterns with `working-directory:` step keyword across all three releasekit workflow templates - Use `${{ env.RELEASEKIT_DIR }}` (repo-root-absolute) for all `uv run --directory` calls, matching the convention already used in the pnpm workflow's `uv run` commands - Split the combined "Install workspace + releasekit" step into two separate steps for clarity Applies to: releasekit-uv.yml (live + template), releasekit-pnpm.yml
… and merge order (#4517)
Cross-checked all markdown files in py/ against the codebase and open PRs. Fixed outdated content across 9 files. engdoc/index.md: - Fix Python version: 3.12+ → 3.10+ - Update feature parity table (6 of 7 features now ✅, Agents still ❌) - Replace 8-plugin table with full 23-plugin parity table - Rewrite all 6 Python code examples (generation, structured output, tool calling, chat, agents, data retrieval) with correct imports, Genkit() class API, and @ai.tool() decorator pattern engdoc/extending/api.md: - Replace stale Sync/Async design section (GenkitExperimental/SyncGenkit/ AsyncGenkit never implemented) with actual async-first architecture documenting GenkitRegistry → GenkitBase → Genkit hierarchy engdoc/extending/index.md: - Update d2 diagram plugin list from 7 to 22 plugins engdoc/extending/servers.md: - Fill Python TODO links with actual file paths (flows.py, reflection.py) engdoc/user_guide/python/publishing_pypi.md: - Add ReleaseKit as primary publishing mechanism - Demote manual workflow to "Legacy" section GEMINI.md: - Remove 7 dangling references to deleted files (engdoc/planning/, blog-genkit-python-*.md, release-publishing-guide.md) - Update blog article guidelines from mandatory to optional - Remove stale validation script checking deleted paths .github/PR_RELEASE.md: - Remove dangling reference to deleted blog-genkit-python-0.5.0.md PARITY_AUDIT.md: - G7: ✅ Done → ⬜ Reverted (#4459 reverted by #4469, needs re-land) - §8c.3/§8c.4: Update stale text — X-Genkit-Span-Id IS now sent (#4511) - §1d: genkitx-cohere ❌ → ✅ (in-tree cohere plugin exists) - §6c: Community coverage 3/6 → 4/6 - G17: 🔄 draft → ⬜ (#4521 closed, needs new PR) - G3/G12-G16/G4: Note #4510 is closed, needs new PR after G38 - G2→G1: Mark as superseded (#4516 titled [SUPERSEDED])
#4659) fix(ci): use working-directory, RELEASEKIT_DIR, and expose max_retries The uv workflow was using `cd` followed by relative paths for `--directory`, which was fragile and inconsistent with GitHub Actions best practices. Also, `--max-retries` was hardcoded to 2. Changes: - Replace all `cd` + command patterns with `working-directory:` step keyword across all three releasekit workflow templates - Use `${{ env.RELEASEKIT_DIR }}` (repo-root-absolute) for all `uv run --directory` calls - Split combined "Install workspace + releasekit" into separate steps - Expose `max_retries` as a workflow_dispatch input (default: 2), consistent with how `concurrency` is already handled - Remove obsolete [workflows/release.yml](cci:7://file:///Users/yesudeep/code/github.com/firebase/genkit/py/tools/releasekit/workflows/release.yml:0:0-0:0) (superseded by per-ecosystem templates in `github/workflows/`) - Document all config keys, CLI timeout flags, and code-level defaults in releasekit.toml for operator discoverability
…angelog format (#4661) ## Summary Fix `ValueError: embedded null byte` that crashed the `releasekit prepare` step in CI, and harden all workflow files to fail fast on errors. ## Root Cause The default `log_format` parameter in `generate_changelog()` contained a literal Python `\x00` byte: ```python log_format: str = '%H\x00%an\x00%s' ``` When passed to `git log --pretty=format:`, this embedded a null byte in the command-line argument. Linux's `execve(2)` syscall rejects null bytes in argv, causing `subprocess.Popen` to raise `ValueError: embedded null byte`. ## Fix Replace the literal `\x00` with git's own `%x00` format escape: ```python log_format: str = '%H%x00%an%x00%s' ``` Git interprets `%x00` in the format string and outputs actual null bytes in the result. The downstream parser (which splits on `\x00`) continues to work correctly. The command-line argument itself no longer contains a literal null byte. ## Workflow Hardening The prepare steps in all workflow files were silently swallowing errors: ```bash OUTPUT=$("${cmd[@]}" 2>&1) || { echo "::warning::releasekit prepare exited with non-zero status" exit 0 # ← masked the real error } ``` This is why the CI run appeared to succeed despite the `ValueError`. Fixed by: - Adding `set -euo pipefail` to all prepare and release steps - Removing the `|| { exit 0 }` error-swallowing pattern ### Files changed | File | Change | |------|--------| | `py/tools/releasekit/src/releasekit/changelog.py` | `\x00` → `%x00` in default `log_format` | | `.github/workflows/releasekit-uv.yml` | `set -euo pipefail` + remove `exit 0` trap | | `py/tools/releasekit/github/workflows/releasekit-uv.yml` | Same (sample workflow) | | `py/tools/releasekit/github/workflows/releasekit-pnpm.yml` | Same for 3 steps (sample workflow) | | `py/tools/releasekit/tests/rk_changelog_test.py` | 6 regression tests | | `py/tools/releasekit/tests/rk_backends_vcs_git_test.py` | 2 regression tests | ## Tests 8 new regression tests added: - **`TestNullByteRegression`** (changelog): default format has no literal null bytes, null-byte-separated parsing, author extraction, space-separated fallback, malformed line skipping, mixed format handling - **`TestLog`** (git backend): changelog format doesn't embed null bytes in argv, `max_commits` flag All 1301 tests pass, 83.3% coverage (above 80% threshold).
…#4662) Releasekit's prepare command was silently succeeding when `git push` or PR creation failed, because the push result was unchecked and the forge result fell back to an empty string. This made CI runs appear green when the release branch or PR wasn't actually created. - Add `set_upstream` parameter to the VCS `push()` protocol, Git, and Mercurial backends so new release branches track their remote - Check `push()` and create_pr() results in `prepare_release()` and raise `RuntimeError` on failure instead of silently continuing - Add `fetch-tags: true` to all `actions/checkout` steps across the three releasekit workflow templates — required for changelog since-tag range resolution - Update all FakeVCS test doubles to match the new `push()` signature
Co-authored-by: Mengqin Shen <mengqin@google.com>
…92%, fix lint errors (#4667)
…setup UX (#4681) Root cause: run.sh scripts cd into sample subdirectories before launching `uv run`, but py/ was never added to PYTHONPATH, so `from samples.shared import ...` failed at runtime for all 38 samples that use shared code. Fixes: - _common.sh: export PYTHONPATH with py/ resolved from BASH_SOURCE[0] - _common.sh: add check_setup() that prompts to run setup.sh when uv is missing or .venv is absent — called automatically by install_deps() - _common.sh: add GENKIT_NO_BROWSER=1 support to genkit_start_with_browser for CI/headless usage - setup.sh: improve key prompt UX — show current value on its own line with ✓, then prompt "New value (Enter=keep current)" instead of the confusing single-line format - setup.sh: prompt to run `gcloud components update` when gcloud was not installed via a package manager (brew/apt/dnf) - setup.sh: force-refresh .venv by removing it before uv sync to avoid stale cached environment issues - pyproject.toml: add pythonpath=["."] to pytest config so samples.shared is importable during test runs Tests: - Add tests/smoke/sample_import_test.py (77 pass, 3 skip): - samples.shared imports cleanly and exports expected names - Every sample main.py is syntactically valid Python (parametrized) - Every `from samples.shared import X` resolves to a real export ISSUE: #4674
…n, and CI hardening (#4682) feat(releasekit): supply-chain security, multi-ecosystem orchestration, and CI hardening This PR transforms ReleaseKit from a Python-focused publish tool into a comprehensive, multi-ecosystem release orchestrator with full supply-chain security capabilities. All ${{ inputs.* }} interpolation in CI workflow run: blocks is replaced with env: var indirection to prevent GitHub Actions script injection (a Critical-severity vulnerability). New modules add SLSA v1.0 provenance generation, Sigstore keyless signing, PEP 740 attestations, CycloneDX/SPDX SBOM generation, OSV vulnerability scanning, OpenSSF Scorecard integration, and configurable trust/approval gates. CI & Security Hardening - Replace inline ${{ inputs.* }} with env vars in all workflow run: blocks - Add provenance.py for SLSA v1.0 provenance attestations - Add attestations: write permission and SBOM upload steps - Add osv.py for OSV.dev vulnerability scanning - Add security_insights.py for SECURITY-INSIGHTS.yml (OpenSSF standard) - Add scorecard.py for OpenSSF Scorecard integration - Add trust.py for configurable trust/approval gates - Add security checks 12-14 in rk_security_test.py New Modules - announce.py: post-release notifications (Slack, Discord, repo dispatch) - api.py: programmatic Python API for ReleaseKit operations - attestations.py: artifact attestation generation and verification - calver.py: calendar versioning (CalVer) support - changesets.py: changeset-based versioning - channels.py: release channels (stable, beta, nightly, canary) - compliance.py: license compliance and policy enforcement - hooks.py: lifecycle hooks (pre/post publish, prepare, release) - hotfix.py: hotfix workflow for cherry-pick releases - prerelease.py: prerelease version management (rc, beta, alpha) - should_release.py: smart release gating (commit analysis, path filtering) - snapshot.py: snapshot/dev version publishing - commit_parsing/_angular.py: Angular commit convention parser Validation Backend (backends/validation/) - attestation.py, jwks.py, oidc.py, provenance.py, runner.py - sbom.py, schema.py, slsa.py Reusable Composite Action - action.yml rewritten as universal composite GitHub Action - All inputs passed via env vars (injection-safe) - Structured outputs: exit code, release URL, PR URL, first tag, plan JSON - Job Summary with rollback links - Template workflows simplified to use the composite action Documentation - 20+ new guides (rollback, snapshots, SLSA, hooks, hotfix, channels, etc.) - Roadmap moved and expanded - CLI reference expanded with new commands - New commit-formats.md and Reveal.js presentation Other Changes - py/pyproject.toml: PEP 8 inline comment spacing fix - py/bin/fix_inline_imports.py: new AST-based fixer script - py/GEMINI.md, releasekit/GEMINI.md: added security checks 12-14 - cli.py: _cmd_check converted to async; ~1000 lines of new CLI commands - go.py, maven.py: enhanced for multi-ecosystem support - New releasekit-rollback.yml template workflow - framework-custom-evaluators LICENSE file added Testing - 30+ new test files covering all new modules - All 16 security tests pass - Linting and formatting pass
…vent Unicode encoding errors (#4689) ## Summary Credentials (API keys, endpoint URLs, API versions) copied from web UIs like Azure Portal often contain invisible Unicode characters such as zero-width spaces (U+200B). These propagate through the OpenAI SDK's request chain and cause `UnicodeEncodeError: 'ascii' codec can't encode character '\u200b'` failures deep inside the HTTP transport layer, particularly on Linux systems with ASCII-defaulting locales. This PR also fixes two usability issues reported by users setting up Genkit samples on fresh Linux VMs (GCE Debian): the `genkit` CLI not being found, and `uv` not being on PATH after running `setup.sh`. Fixes: #4688 Fixes: #4684 ## Changes ### Credential sanitization (`microsoft-foundry` plugin) - Add `_sanitize_credential()` with precompiled regex for 10 categories of invisible Unicode characters (zero-width spaces, BOMs, non-breaking spaces, directional marks, word joiners, line/paragraph separators) - Apply sanitization to `api_key`, `endpoint`, and `api_version` in `MicrosoftFoundry.__init__` - Add `TestSanitizeCredential` test class with 9 tests covering None passthrough, individual character types, combined stripping, and an integration test verifying env var sanitization during init ### Sample scripts (`_common.sh`, `setup.sh`) - **Auto-discover tool paths**: Add `_ensure_tool_paths()` that sources `~/.environment` and adds common install directories (`~/.local/bin`, `~/.local/share/pnpm`, `~/.cargo/bin`, npm global prefix) to PATH. This fixes `uv: command not found` when tools were installed by `setup.sh` but the user has not sourced `~/.environment` yet. - **Pre-flight check for genkit CLI**: `genkit_start_with_browser()` now detects a missing `genkit` command and interactively offers to install pnpm + genkit-cli, instead of the cryptic `stdbuf: failed to run command 'genkit': No such file or directory` error. - **Prefer package manager for Ollama on Linux**: `_install_ollama()` in both `setup.sh` and `_common.sh` now tries `apt`/`dnf` before falling back to the curl installer, matching the pattern used by other tools.
Co-authored-by: Michael Doyle <michael.james.doyle@gmail.com>
…/server (#5287) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@genkit-ai/tools-common version from 1.33.0 to 1.34.0 @genkit-ai/telemetry-server version from 1.33.0 to 1.34.0 genkit-cli version from 1.33.0 to 1.34.0
@genkit-ai/core version from 1.33.0 to 1.34.0 @genkit-ai/ai version from 1.33.0 to 1.34.0 genkit version from 1.33.0 to 1.34.0 genkitx-chromadb version from 1.33.0 to 1.34.0 @genkit-ai/dev-local-vectorstore version from 1.33.0 to 1.34.0 @genkit-ai/evaluator version from 1.33.0 to 1.34.0 @genkit-ai/firebase version from 1.33.0 to 1.34.0 @genkit-ai/google-cloud version from 1.33.0 to 1.34.0 genkitx-langchain version from 1.33.0 to 1.34.0 @genkit-ai/next version from 1.33.0 to 1.34.0 genkitx-ollama version from 1.33.0 to 1.34.0 genkitx-pinecone version from 1.33.0 to 1.34.0 @genkit-ai/vertexai version from 1.33.0 to 1.34.0 @genkit-ai/checks version from 1.33.0 to 1.34.0 @genkit-ai/mcp version from 1.33.0 to 1.34.0 @genkit-ai/express version from 1.33.0 to 1.34.0 genkitx-cloud-sql-pg version from 1.33.0 to 1.34.0 @genkit-ai/compat-oai version from 1.33.0 to 1.34.0 @genkit-ai/google-genai version from 1.33.0 to 1.34.0
… `SpanMetadata` (#5311)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )