From e74b8b26f2a1e584e2bcad224f1971320d14f6ee Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:06:19 +0800 Subject: [PATCH 1/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20release-python.ym?= =?UTF-8?q?l=20skeleton=20with=20triggers=20and=20permissions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Workflow header — triggered on v*.*.* tag push (publish path) and workflow_dispatch (dry-run path). id-token: write permission and no stored PyPI token: the publish step uses Trusted Publisher OIDC per the F112 spec in AAASM-1202. Real matrix build + publish jobs added in follow-up commits. AAASM-1217 --- .github/workflows/release-python.yml | 34 ++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/release-python.yml diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml new file mode 100644 index 0000000..d0e0365 --- /dev/null +++ b/.github/workflows/release-python.yml @@ -0,0 +1,34 @@ +name: Release Python SDK + +on: + push: + tags: + - 'v*.*.*' + workflow_dispatch: + inputs: + dry-run: + description: 'Skip PyPI upload, build wheels only' + type: boolean + default: true + +permissions: + contents: read + id-token: write # PyPI Trusted Publisher OIDC + +concurrency: + group: release-python-${{ github.ref }} + cancel-in-progress: false + +env: + # Source of the prebuilt aasm sidecar binary, fetched per platform + # before each maturin build so it lands at agent_assembly/bin/aasm + # inside the wheel (matches runtime.py's WHEEL_BUNDLED_BIN search path). + AASM_BINARY_RELEASE_REPO: AI-agent-assembly/agent-assembly + PYTHON_VERSION: '3.12' + +jobs: + noop: + name: Placeholder + runs-on: ubuntu-latest + steps: + - run: echo "release-python.yml — real jobs added in follow-up commits" From 3092bad09a02ba79f92f200d8bc6cc7291481222 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:06:46 +0800 Subject: [PATCH 2/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20build-sdist=20job?= =?UTF-8?q?=20for=20pure-Python=20source=20distribution?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the noop placeholder. Produces dist/*.tar.gz via maturin-action's sdist command — the source archive that lets users build from source without a prebuilt wheel. Artifact name 'wheels-sdist' chosen so the publish job's `pattern: wheels-*` glob picks it up alongside per-platform wheels. AAASM-1217 --- .github/workflows/release-python.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index d0e0365..78f2bd8 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -27,8 +27,21 @@ env: PYTHON_VERSION: '3.12' jobs: - noop: - name: Placeholder + build-sdist: + name: Build sdist runs-on: ubuntu-latest steps: - - run: echo "release-python.yml — real jobs added in follow-up commits" + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + - name: Build source distribution + uses: PyO3/maturin-action@v1 + with: + command: sdist + args: --out dist + - name: Upload sdist artifact + uses: actions/upload-artifact@v4 + with: + name: wheels-sdist + path: dist/*.tar.gz From 1db70b619ddbefdb30b3c1eb82f7598f555a0770 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:07:03 +0800 Subject: [PATCH 3/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20manylinux=5Fx86?= =?UTF-8?q?=5F64=20wheel=20build=20job=20(PyO3/maturin-action)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First platform wheel job. Three notable parts: 1. Stage step downloads the prebuilt aasm-linux-x86_64 artifact from the upstream agent-assembly repo and places it at agent_assembly/bin/aasm — picked up by maturin's include glob. 2. Untrusted-input safety: AASM_REPO is sourced via env: from the workflow-level env var (already a static string), not interpolated directly into the run script. 3. maturin-action with manylinux: auto produces a wheel with the correct manylinux platform tag for broad pip compatibility. If the upstream binary isn't published yet, the step logs a warning and continues, producing an SDK-only wheel. AAASM-1217 --- .github/workflows/release-python.yml | 34 ++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 78f2bd8..e447f42 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -45,3 +45,37 @@ jobs: with: name: wheels-sdist path: dist/*.tar.gz + + build-linux-x86_64: + name: Build manylinux_x86_64 wheel + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + - name: Stage aasm sidecar binary + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + run: | + mkdir -p agent_assembly/bin + if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then + mv agent_assembly/bin/aasm-linux-x86_64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" + else + echo "::warning::aasm-linux-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary" + fi + - name: Build wheel + uses: PyO3/maturin-action@v1 + with: + target: x86_64-unknown-linux-gnu + command: build + args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} + manylinux: auto + - name: Upload wheel artifact + uses: actions/upload-artifact@v4 + with: + name: wheels-linux-x86_64 + path: dist/*.whl From 47fb0151afad4b17e18b5c763bf169917b424f0d Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:07:16 +0800 Subject: [PATCH 4/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20manylinux=5Faarch?= =?UTF-8?q?64=20wheel=20build=20job?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same shape as the x86_64 job; maturin-action's QEMU-based cross-build support handles aarch64 from ubuntu-latest. Downloads aasm-linux-aarch64 from upstream agent-assembly releases. AAASM-1217 --- .github/workflows/release-python.yml | 34 ++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index e447f42..074b55e 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -79,3 +79,37 @@ jobs: with: name: wheels-linux-x86_64 path: dist/*.whl + + build-linux-aarch64: + name: Build manylinux_aarch64 wheel + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + - name: Stage aasm sidecar binary + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + run: | + mkdir -p agent_assembly/bin + if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ 2>/dev/null; then + mv agent_assembly/bin/aasm-linux-aarch64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" + else + echo "::warning::aasm-linux-aarch64 not yet published by $AASM_REPO — wheel will ship without bundled binary" + fi + - name: Build wheel + uses: PyO3/maturin-action@v1 + with: + target: aarch64-unknown-linux-gnu + command: build + args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} + manylinux: auto + - name: Upload wheel artifact + uses: actions/upload-artifact@v4 + with: + name: wheels-linux-aarch64 + path: dist/*.whl From fe4b808d2a844ef7c3a5bf52357532dee3dcf421 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:07:29 +0800 Subject: [PATCH 5/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20macosx=5Farm64=20?= =?UTF-8?q?wheel=20build=20job?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runs on macos-14 (Apple silicon) and produces the wheel for the common modern Mac. Native build — no cross-compile overhead — so maturin-action picks up the host target directly. AAASM-1217 --- .github/workflows/release-python.yml | 33 ++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 074b55e..c413dc8 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -113,3 +113,36 @@ jobs: with: name: wheels-linux-aarch64 path: dist/*.whl + + build-macos-arm64: + name: Build macosx_arm64 wheel + runs-on: macos-14 # Apple silicon runner + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + - name: Stage aasm sidecar binary + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + run: | + mkdir -p agent_assembly/bin + if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ 2>/dev/null; then + mv agent_assembly/bin/aasm-macos-arm64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" + else + echo "::warning::aasm-macos-arm64 not yet published by $AASM_REPO — wheel will ship without bundled binary" + fi + - name: Build wheel + uses: PyO3/maturin-action@v1 + with: + target: aarch64-apple-darwin + command: build + args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} + - name: Upload wheel artifact + uses: actions/upload-artifact@v4 + with: + name: wheels-macos-arm64 + path: dist/*.whl From 8030e383618da4bea3b1ab6c76b1bb7f7008f106 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:07:42 +0800 Subject: [PATCH 6/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20macosx=5Fx86=5F64?= =?UTF-8?q?=20wheel=20build=20job?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runs on macos-13 (Intel runner) for the legacy Mac target. Same structure as the arm64 job; binary download pattern is aasm-macos-x86_64 to match the expected upstream release asset name. AAASM-1217 --- .github/workflows/release-python.yml | 33 ++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index c413dc8..943b50c 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -146,3 +146,36 @@ jobs: with: name: wheels-macos-arm64 path: dist/*.whl + + build-macos-x86_64: + name: Build macosx_x86_64 wheel + runs-on: macos-13 # Intel runner + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + - name: Stage aasm sidecar binary + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + run: | + mkdir -p agent_assembly/bin + if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then + mv agent_assembly/bin/aasm-macos-x86_64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" + else + echo "::warning::aasm-macos-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary" + fi + - name: Build wheel + uses: PyO3/maturin-action@v1 + with: + target: x86_64-apple-darwin + command: build + args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} + - name: Upload wheel artifact + uses: actions/upload-artifact@v4 + with: + name: wheels-macos-x86_64 + path: dist/*.whl From 8df9d2a9730836a128bea4e16d630e5edd4d8e88 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 23 May 2026 02:07:58 +0800 Subject: [PATCH 7/7] =?UTF-8?q?=E2=9C=A8=20(ci):=20Add=20PyPI=20Trusted=20?= =?UTF-8?q?Publisher=20publish=20job=20gated=20on=20all=20build=20jobs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Downloads every wheels-* artifact (sdist + 4 platform wheels) into dist/ and uploads them via pypa/gh-action-pypi-publish using the Trusted Publisher OIDC flow — no long-lived PyPI API token is stored in repo secrets. `if:` guard ensures the publish step only fires on actual v*.*.* tag pushes; workflow_dispatch runs build only (dry-run). `environment: pypi` links to the GitHub Environment that PyPI's Trusted Publisher registration will check against. Setup steps (register publisher on pypi.org, create the pypi env in repo settings) documented in the PR description for AAASM-1217. AAASM-1217 --- .github/workflows/release-python.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 943b50c..60eb186 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -179,3 +179,30 @@ jobs: with: name: wheels-macos-x86_64 path: dist/*.whl + + publish: + name: Publish to PyPI (Trusted Publisher) + needs: + - build-sdist + - build-linux-x86_64 + - build-linux-aarch64 + - build-macos-arm64 + - build-macos-x86_64 + runs-on: ubuntu-latest + # Publish only on actual tag push; workflow_dispatch is dry-run. + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') + environment: + name: pypi + url: https://pypi.org/p/agent-assembly + permissions: + id-token: write # OIDC token for Trusted Publisher + steps: + - name: Download all build artifacts + uses: actions/download-artifact@v4 + with: + pattern: wheels-* + path: dist + merge-multiple: true + - name: Publish via PyPI Trusted Publisher + uses: pypa/gh-action-pypi-publish@release/v1 + # No `with: password:` — Trusted Publisher uses OIDC, no token stored.