ci: OIDC trusted publishing, auto-changelog, drift check improvements

Delega Bot · Delega Bot · commit be535d0efd0a · 2026-03-13T11:41:14.000-05:00
- Switch npm publish to OIDC (no NPM_TOKEN needed)
- Switch PyPI publish to OIDC trusted publishing
- Add auto-generated changelog from git log on tag push
- Create GitHub Releases automatically on tag push
- Enable MCP Registry publish step (non-fatal if token missing)
- Improve drift check: PyPI via JSON API, landing site check, better summary
- Add Discord deploy notifications on delega-api
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -5,15 +5,41 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.9', '3.11', '3.13']
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install and test
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[async]"
+          pip install pytest
+          pytest tests/ -v
+
   publish:
+    needs: test
     runs-on: ubuntu-latest
     environment: pypi
     permissions:
-      contents: read
+      contents: write
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - uses: actions/setup-python@v5
         with:
@@ -34,7 +60,28 @@ jobs:
       - name: Build package
         run: python -m build
 
-      - name: Publish to PyPI
+      - name: Publish to PyPI (OIDC trusted publishing)
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           attestations: true
+
+      - name: Generate changelog
+        run: |
+          PREV_TAG=$(git tag --sort=-v:refname | sed -n '2p')
+          if [ -n "$PREV_TAG" ]; then
+            echo "## Changes since $PREV_TAG" > /tmp/changelog.md
+            echo "" >> /tmp/changelog.md
+            git log "$PREV_TAG"..HEAD --pretty=format:"- %s (%h)" --no-merges >> /tmp/changelog.md
+          else
+            echo "## Initial release" > /tmp/changelog.md
+            echo "" >> /tmp/changelog.md
+            git log --pretty=format:"- %s (%h)" --no-merges >> /tmp/changelog.md
+          fi
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "${{ github.ref_name }}" \
+            --title "${{ github.ref_name }}" \
+            --notes-file /tmp/changelog.md
