Files

ci / test (push) Failing after 37s

Details

fix: publish workflow auth — tegwick user, OpenBao token, explicit twine creds

inter-hub-pkg-rep is the Gitea token name (not a username). PACKAGE_USER is
tegwick; token custody is OpenBao platform/operators/inter-hub/package-management.
Disable keyring in CI and pass twine --username/--password explicitly.

2026-06-17 00:14:24 +02:00

3.8 KiB

Raw Blame History

Python Package Release

kaizen-agentic publishes as the kaizen-agentic Python package on the Coulomb Gitea PyPI registry. Public pypi.org distribution is optional and not required for ecosystem use.

Install (consumers)

Dependencies such as pyyaml resolve from public PyPI. Use Gitea as an extra index:

export GITEA_PACKAGE_USER=<gitea-user>
export GITEA_PACKAGE_TOKEN=<package-token>

pip install kaizen-agentic \
  --extra-index-url "https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"

Global CLI via pipx:

pipx install kaizen-agentic \
  --pip-args="--extra-index-url https://${GITEA_PACKAGE_USER}:${GITEA_PACKAGE_TOKEN}@gitea.coulomb.social/api/packages/coulomb/pypi/simple/"

Do not commit tokenized index URLs. Inject credentials via environment variables or CI secrets.

Local Release

Build and validate artifacts:

make package-check

Publish to the Coulomb organization registry:

TWINE_USERNAME=<gitea-user> \
TWINE_PASSWORD=<package-token> \
make publish-gitea

Package upload endpoint:

https://gitea.coulomb.social/api/packages/coulomb/pypi

Consumer simple index:

https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/

Gitea repository secrets (one-time)

Configure in Gitea: Repository → Settings → Actions → Secrets.

Secret	Value
`PACKAGE_USER`	`tegwick` — Gitea username that owns the package token
`PACKAGE_TOKEN`	Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`)

Gitea rejects secret names prefixed with GITEA_ — use PACKAGE_USER / PACKAGE_TOKEN (not GITEA_PACKAGE_USER). Workflows use runs-on: haskelseed and native git clone (no GitHub Marketplace actions).

The publish workflow fails at the upload step when either secret is missing or invalid. Do not commit tokens to the repository.

Smoke-test notes (2026-06-16): inter-hub-pkg-rep is the token name, not a Gitea user. PACKAGE_USER must be tegwick. Token value lives in OpenBao (platform/operators/inter-hub/package-management, key inter-hub-pkg-rep). Earlier 401 failures used the wrong token (GITEA_API_TOKEN ≠ package token). Build step uses .build-venv (PEP 668 safe on haskelseed).

Verify secrets without cutting a release:

Open Actions → Publish Python package → Run workflow (workflow_dispatch), or dispatch via API: POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches with body {"ref":"main"}
Confirm the run completes and twine upload succeeds
Optional: pip install kaizen-agentic==<version> --extra-index-url ...

The publish job uses an isolated .build-venv on the runner (PEP 668 safe).

Pre-tag release checklist

Before git tag vX.Y.Z && git push origin vX.Y.Z:

make release-check passes (tests, flake8, version consistency, agent parity)
make package-check builds and validates dist/*
CHANGELOG.md has a dated [X.Y.Z] section matching pyproject.toml
PACKAGE_USER and PACKAGE_TOKEN secrets are set
Publish workflow smoke-tested via workflow_dispatch (or prior tag release)
make agents-sync-package run if agents/ changed since last release

Gitea Actions Release

The .gitea/workflows/publish-python-package.yml workflow publishes on tags matching v*.

Example:

git tag v1.2.0
git push origin v1.2.0

Public PyPI (optional)

When pypi.org credentials are configured (~/.pypirc or TWINE_PASSWORD API token with TWINE_USERNAME=__token__):

make release-publish
python -m twine upload dist/*

3.8 KiB Raw Blame History