kaizen-agentic/docs/PACKAGE_RELEASE.md

Python Package Release

kaizen-agentic publishes as the kaizen-agentic Python package on the Coulomb Gitea PyPI registry. Public pypi.org distribution is optional and not required for ecosystem use.

Install (consumers)

Dependencies such as pyyaml resolve from public PyPI. Use Gitea as an extra index:

export GITEA_PACKAGE_USER=<gitea-user>
export GITEA_PACKAGE_TOKEN=<package-token>

pip install kaizen-agentic \
  --extra-index-url "https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"

Global CLI via pipx:

pipx install kaizen-agentic \
  --pip-args="--extra-index-url https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"

Do not commit tokenized index URLs. Inject credentials via environment variables or CI secrets.

Local Release

Build and validate artifacts:

make package-check

Publish to the Coulomb organization registry:

TWINE_USERNAME=<gitea-user> \
TWINE_PASSWORD=<package-token> \
make publish-gitea

Package upload endpoint:

https://gitea.coulomb.social/api/packages/coulomb/pypi

Consumer simple index:

https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/

Gitea repository secrets (one-time)

Configure in Gitea: Repository → Settings → Actions → Secrets.

Secret	Value
PACKAGE_USER	tegwick — Gitea username that owns the package token
PACKAGE_TOKEN	Gitea API token named inter-hub-pkg-rep (write:package)

Token custody (OpenBao):

platform/data/operators/inter-hub/package-management
  → field: inter-hub-pkg-rep

Paste the plaintext token into the Gitea secret UI. inter-hub-pkg-rep is the token name in Gitea, not a username.

Gitea rejects secret names prefixed with GITEA_ — use PACKAGE_USER / PACKAGE_TOKEN (not GITEA_PACKAGE_USER). Workflows use runs-on: haskelseed and native git clone (no GitHub Marketplace actions).

The publish workflow fails at the upload step when either secret is missing or invalid. Do not commit tokens to the repository.

Smoke-test (2026-06-16): workflow_dispatch run #3042 authenticated successfully (409 Conflict on re-upload of 1.1.0 — expected). Root causes of earlier 401s: wrong token (GITEA_API_TOKEN ≠ package token), wrong username (inter-hub-pkg-rep is a token name), and a stale org-level secret. Build uses .build-venv (PEP 668).

Verify secrets without cutting a release:

1. Open Actions → Publish Python package → Run workflow (workflow_dispatch), or dispatch via API: POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches with body {"ref":"main"}
2. Confirm the run completes and twine upload succeeds
3. Optional: pip install kaizen-agentic==<version> --extra-index-url ...

The publish job uses an isolated .build-venv on the runner (PEP 668 safe).

Pre-tag release checklist

Before git tag vX.Y.Z && git push origin vX.Y.Z:

• make release-check passes (tests, flake8, version consistency, agent parity)
• make package-check builds and validates dist/*
• CHANGELOG.md has a dated [X.Y.Z] section matching pyproject.toml
• PACKAGE_USER and PACKAGE_TOKEN secrets are set
• Publish workflow smoke-tested via workflow_dispatch (or prior tag release)
• make agents-sync-package run if agents/ changed since last release

Gitea Actions Release

The .gitea/workflows/publish-python-package.yml workflow publishes on tags matching v*.

Example:

git tag v1.2.0
git push origin v1.2.0

Public PyPI (optional)

When pypi.org credentials are configured (~/.pypirc or TWINE_PASSWORD API token with TWINE_USERNAME=__token__):

make release-publish
python -m twine upload dist/*