Skip to content

feat: PyPI publish for engine + python wrapper, foundation version floor#78

Open
bkrabach wants to merge 1 commit into
mainfrom
feat/pypi-publish-python
Open

feat: PyPI publish for engine + python wrapper, foundation version floor#78
bkrabach wants to merge 1 commit into
mainfrom
feat/pypi-publish-python

Conversation

@bkrabach

@bkrabach bkrabach commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds PyPI publishing automation for both the engine and Python wrapper, introduces a version floor for the foundation dependency (hygiene), and updates repository documentation.

What this does

1. Version floor on foundation dependency

  • Engine now declares amplifier-foundation>=1.0.0 (was unversioned git override)
  • Prevents silent breakage if a future breaking amplifier-foundation is released
  • The >= allows compatible patch/minor bumps; semver breaking change would need engine re-release

2. New workflow: publish-python.yml

  • Publishes the engine to PyPI on v* tags (semver: v0.9.0, v1.0.0, etc.)
    • Builds pure-Python sdist + wheel
    • Publishes via OIDC trusted publishing (no hardcoded tokens)
    • Matches amplifier-core's proven pattern
  • Publishes the python wrapper (amplifier-agent-py) to PyPI on py-v* tags (semver: py-v0.3.0, etc.)
    • Separate tagging from engine so releases can be independent
    • Keeps existing npm wrapper on wrapper-v* untouched
  • Both include tag-vs-pyproject version-match guard: mistagged release fails loudly, not silent wrong-version publish

3. Documentation

  • RELEASING.md: Version/tag conventions, how to publish for maintainers going forward
  • AGENTS.md: Corrected tag/path docs reflecting new unification (v* for engine, py-v* for wrapper, wrapper-v* for npm)

Before this can publish

PyPI side setup (one-time):

Configure TWO PyPI pending trusted publishers:

  1. Project amplifier-agent (the engine):

    • Repository owner: microsoft
    • Repository name: amplifier-agent
    • Workflow filename: publish-python.yml
    • Environment name: pypi

  2. Project amplifier-agent-py (the wrapper):

    • Repository owner: microsoft
    • Repository name: amplifier-agent
    • Workflow filename: publish-python.yml
    • Environment name: pypi

Then create a pypi environment in the GitHub repo (Settings → Environments).

Tagging and publishing:

  • Engine: git tag vX.Y.Z && git push --tags
  • Wrapper: git tag py-vX.Y.Z && git push --tags
  • CI detects tag, validates pyproject version match, builds, and publishes

Validation

Locally validated via uv build:

  • Engine builds clean pure-Python sdist + wheel at repo root
  • Wrapper builds clean pure-Python sdist + wheel in wrappers/python-py/
  • No platform-specific code or build artifacts
  • Ready to push to PyPI

Note: The OIDC handshake itself can only be validated by the first real tagged run after the trusted publisher is set up at PyPI.

⚠️ OPEN REVIEW QUESTION FOR MAINTAINERS

Tag unification for the engine:

Previous AGENTS.md implied the engine should publish on engine-v* tags (separate from release notes).

This PR unifies on v* tags — same tag fires both the release notes AND the PyPI engine publish. This aligns with amplifier-core's single-tag-per-release convention and keeps tag hygiene simpler.

Is this unification desired? Or should the engine remain on a distinct engine-v* tag to decouple engine releases from release notes?

If engine-v* is preferred, the unification is a one-line fix in the workflow and AGENTS.md docs. Want input before this merges.

@microsoft-amplifier
feat: add PyPI publish workflow, version floor, and release documenta…
2174b61 
…tion

Adds OIDC trusted publishing for both Python packages (amplifier-agent
engine and amplifier-agent-py wrapper) and tightens the foundation dep.

Changes:
- pyproject.toml: amplifier-foundation → amplifier-foundation>=1.0.0
  (version floor so future breaking releases are not silently pulled)
- .github/workflows/publish-python.yml: two-job workflow sharing one file.
    publish-engine: fires on v* tags, builds root package, publishes via OIDC
    publish-wrapper: fires on py-v* tags, builds wrappers/python-py/, publishes via OIDC
  Both jobs use environment: pypi, permissions: id-token: write.
  Does not touch publish-wrapper.yml (npm) or release-notes.yml (GH Releases).
- RELEASING.md: release steps for all three artifacts (engine v*, wrapper
  py-v*, TS wrapper-v*), one-time PyPI trusted publisher setup for both
  amplifier-agent and amplifier-agent-py, GitHub pypi environment setup.
- AGENTS.md: update tag namespace table to reflect new PyPI publish paths
  (v* → PyPI + GH Release; py-v* → PyPI); note pre-PyPI git-based tags
  (engine-v*, wrapper-py-v*) are superseded; fix wrappers/python/ → python-py;
  add RELEASING.md to workflows table and 'When in doubt' section.

One-time actions required before first publish:
  Configure two PyPI pending trusted publishers:
    amplifier-agent: workflow publish-python.yml, env pypi
    amplifier-agent-py: same workflow, same env
  Create pypi GitHub Actions environment in repo settings.
  OIDC handshake is only provable via a real tag-triggered CI run.

🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier)

Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
@bkrabach bkrabach marked this pull request as ready for review June 26, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bkrabach