Skip to content

[AAASM-1217] ✨ (ci): Add matrix wheel build + PyPI Trusted Publisher workflow #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Chisanan232 merged 7 commits into from
May 23, 2026
Merged

[AAASM-1217] ✨ (ci): Add matrix wheel build + PyPI Trusted Publisher workflow #55

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e74b8b2
✨ (ci): Add release-python.yml skeleton with triggers and permissions
Chisanan232 May 22, 2026
3092bad
✨ (ci): Add build-sdist job for pure-Python source distribution
Chisanan232 May 22, 2026
1db70b6
✨ (ci): Add manylinux_x86_64 wheel build job (PyO3/maturin-action)
Chisanan232 May 22, 2026
47fb015
✨ (ci): Add manylinux_aarch64 wheel build job
Chisanan232 May 22, 2026
fe4b808
✨ (ci): Add macosx_arm64 wheel build job
Chisanan232 May 22, 2026
8030e38
✨ (ci): Add macosx_x86_64 wheel build job
Chisanan232 May 22, 2026
8df9d2a
✨ (ci): Add PyPI Trusted Publisher publish job gated on all build jobs
Chisanan232 May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
208 changes: 208 additions & 0 deletions .github/workflows/release-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
name: Release Python SDK

on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
dry-run:
description: 'Skip PyPI upload, build wheels only'
type: boolean
default: true

permissions:
contents: read
id-token: write # PyPI Trusted Publisher OIDC

concurrency:
group: release-python-${{ github.ref }}
cancel-in-progress: false

env:
# Source of the prebuilt aasm sidecar binary, fetched per platform
# before each maturin build so it lands at agent_assembly/bin/aasm
# inside the wheel (matches runtime.py's WHEEL_BUNDLED_BIN search path).
AASM_BINARY_RELEASE_REPO: AI-agent-assembly/agent-assembly
PYTHON_VERSION: '3.12'

jobs:
build-sdist:
name: Build sdist
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Build source distribution
uses: PyO3/maturin-action@v1
with:
command: sdist
args: --out dist
- name: Upload sdist artifact
uses: actions/upload-artifact@v4
with:
name: wheels-sdist
path: dist/*.tar.gz

build-linux-x86_64:
name: Build manylinux_x86_64 wheel
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Stage aasm sidecar binary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }}
run: |
mkdir -p agent_assembly/bin
if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then
mv agent_assembly/bin/aasm-linux-x86_64 agent_assembly/bin/aasm
chmod +x agent_assembly/bin/aasm
echo "Bundled aasm binary into wheel"
else
echo "::warning::aasm-linux-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary"
fi
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
target: x86_64-unknown-linux-gnu
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
manylinux: auto
- name: Upload wheel artifact
uses: actions/upload-artifact@v4
with:
name: wheels-linux-x86_64
path: dist/*.whl

build-linux-aarch64:
name: Build manylinux_aarch64 wheel
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Stage aasm sidecar binary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }}
run: |
mkdir -p agent_assembly/bin
if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ 2>/dev/null; then
mv agent_assembly/bin/aasm-linux-aarch64 agent_assembly/bin/aasm
chmod +x agent_assembly/bin/aasm
echo "Bundled aasm binary into wheel"
else
echo "::warning::aasm-linux-aarch64 not yet published by $AASM_REPO — wheel will ship without bundled binary"
fi
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
target: aarch64-unknown-linux-gnu
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
manylinux: auto
- name: Upload wheel artifact
uses: actions/upload-artifact@v4
with:
name: wheels-linux-aarch64
path: dist/*.whl

build-macos-arm64:
name: Build macosx_arm64 wheel
runs-on: macos-14 # Apple silicon runner
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Stage aasm sidecar binary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }}
run: |
mkdir -p agent_assembly/bin
if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ 2>/dev/null; then
mv agent_assembly/bin/aasm-macos-arm64 agent_assembly/bin/aasm
chmod +x agent_assembly/bin/aasm
echo "Bundled aasm binary into wheel"
else
echo "::warning::aasm-macos-arm64 not yet published by $AASM_REPO — wheel will ship without bundled binary"
fi
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
target: aarch64-apple-darwin
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
- name: Upload wheel artifact
uses: actions/upload-artifact@v4
with:
name: wheels-macos-arm64
path: dist/*.whl

build-macos-x86_64:
name: Build macosx_x86_64 wheel
runs-on: macos-13 # Intel runner
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Stage aasm sidecar binary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }}
run: |
mkdir -p agent_assembly/bin
if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then
mv agent_assembly/bin/aasm-macos-x86_64 agent_assembly/bin/aasm
chmod +x agent_assembly/bin/aasm
echo "Bundled aasm binary into wheel"
else
echo "::warning::aasm-macos-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary"
fi
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
target: x86_64-apple-darwin
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
- name: Upload wheel artifact
uses: actions/upload-artifact@v4
with:
name: wheels-macos-x86_64
path: dist/*.whl

publish:
name: Publish to PyPI (Trusted Publisher)
needs:
- build-sdist
- build-linux-x86_64
- build-linux-aarch64
- build-macos-arm64
- build-macos-x86_64
runs-on: ubuntu-latest
# Publish only on actual tag push; workflow_dispatch is dry-run.
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
environment:
name: pypi
url: https://pypi.org/p/agent-assembly
permissions:
id-token: write # OIDC token for Trusted Publisher
steps:
- name: Download all build artifacts
uses: actions/download-artifact@v4
with:
pattern: wheels-*
path: dist
merge-multiple: true
- name: Publish via PyPI Trusted Publisher
uses: pypa/gh-action-pypi-publish@release/v1
# No `with: password:` — Trusted Publisher uses OIDC, no token stored.