The runpod-flash project uses a simple, reliable release automation system built on Release Please v4 with quality gates and automated PyPI publishing via OIDC trusted publishing.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ CI Workflow │ │Release Workflow │ │ PyPI Publish │
│ │ │ │ │ │
│ • PRs to main │ │ • Push to main │ │ • Release PR │
│ • Quality Gates │ │ • Quality Gates │ │ merged │
│ • Build Check │ │ • Release Please│ │ • Build & Sign │
│ • Block if fail │ │ • Create/Update │ │ • Publish │
└─────────────────┘ └─────────────────┘ └─────────────────┘
- CI Workflow - Blocks PRs if quality issues found
- Release Please - Automated semantic versioning and changelog generation
- PyPI Publishing - Secure, verified package publication
- Quality Gates - Multi-version testing with code quality enforcement
- Development: Create feature branches with conventional commits
- Pull Request: CI runs quality gates, blocks if any issues
- Merge to main: Release workflow runs quality gates + Release Please
- Release Please: Automatically creates/updates release PR when ready
- Review: Team reviews the automated release PR
- Merge Release PR: Triggers publication pipeline
- PyPI Publication: Automated build, sign, and publish
The system uses conventional commits for automated versioning:
# Feature (minor version bump)
feat: add new GPU resource allocation system
# Bug fix (patch version bump)
fix: resolve memory leak in resource cleanup
# Breaking change (major version bump)
feat!: restructure API for better performance
# Documentation (no version bump)
docs: update API documentation
# Other types: fix, perf, refactor, test, build, ci, chore- Major (1.0.0 → 2.0.0): Breaking changes (
feat!:,fix!:, etc.) - Minor (1.0.0 → 1.1.0): New features (
feat:) - Patch (1.0.0 → 1.0.1): Bug fixes (
fix:)
- Linting: Ruff with strict formatting (blocking)
- Type Checking: MyPy analysis (non-blocking, for development feedback)
- Testing: Full test suite execution (blocking)
- Build: Package build and verification (blocking)
- Python Versions: 3.10, 3.11, 3.12
- Package Verification: Twine check and Sigstore signing
- OIDC Publishing: Trusted publishing without API keys
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"packages": {
".": {
"release-type": "python",
"extra-files": [
{
"type": "toml",
"path": "pyproject.toml",
"jsonpath": "$.project.version"
}
]
}
},
"pull-request-title-pattern": "chore: release ${version}",
"pull-request-header": "Release Please automated release PR",
"separate-pull-requests": false,
"changelog-sections": [
{
"type": "feat",
"section": "Features",
"hidden": false
},
{
"type": "fix",
"section": "Bug Fixes",
"hidden": false
}
]
}{
".": "0.5.2"
}- Triggers: Pull requests and pushes to main
- Purpose: Quality gates and build verification
- Jobs:
- Quality gates (multi-Python testing)
- Build package verification
- Triggers: Push to main only
- Purpose: Release orchestration and PyPI publishing
- Jobs:
- Quality gates (same as CI)
- Release Please (create/update release PRs)
- PyPI publishing (only when release created)
Symptoms: No automatic release PR after feature merges Causes:
- No conventional commits since last release
- All changes are hidden types (
chore,test,build,ci)
Solutions:
- Check commit history for conventional commit format
- Verify
.release-please-config.jsonsyntax - Review
.release-please-manifest.jsonfor correct version
Symptoms: Quality gates pass but PyPI publishing fails Causes:
- OIDC configuration issues
- Package build failures
- Version conflicts
Solutions:
- Check OIDC trusted publishing configuration
- Verify package build locally:
uv build && uv run twine check dist/* - Check PyPI status and version conflicts
Symptoms: CI or Release workflow fails on quality checks Causes:
- Linting/formatting issues
- Test failures
- Build problems
Solutions:
- Run checks locally:
make check - Fix failing tests and linting issues
- Ensure all dependencies are properly installed
- Always use conventional commits for proper version detection
- Run quality checks locally before pushing changes
- Review release PRs carefully before merging
- Monitor CI status and address failures promptly
- Keep workflows simple - avoid complex conditionals and overrides
- Monitor release automation for proper functionality
- Update dependencies regularly to avoid security issues
- Document any configuration changes
- No API keys stored in repository
- Automatic token generation for each publish
- Scoped permissions for security
- Packages automatically signed with Sigstore
- Build artifacts verified before publication
- Comprehensive audit trail maintained
- Dependency pinning for reproducible builds
- Regular security updates
- Quality gates prevent vulnerable code from being released
- Check recent commits for conventional commit format
- Verify configuration files are valid JSON
- Check GitHub release tags match manifest
- Check workflow logs for specific errors
- Verify OIDC configuration in PyPI
- Manually build and verify package locally
- Address the root cause (tests, linting, etc.)
- Do not bypass quality gates
- Ensure all changes meet quality standards
- ✅ CI passes on all PRs
- ✅ Release PRs created automatically
- ✅ Packages successfully published to PyPI
- ✅ No manual intervention required
- Quality gate failures blocking releases
- Release Please configuration errors
- PyPI publishing authentication issues
- Build artifact generation problems
This release system prioritizes simplicity and reliability over complex features. The goal is a hands-off, automated process that just works.