From 36a1b9988db293fe2091186162cfe55c81ab1d1f Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Tue, 2 Jun 2026 22:59:44 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20(release):=20Switch=20?= =?UTF-8?q?trigger=20from=20push:tags=20to=20repository=5Fdispatch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit agent-assembly's release workflow now emits a `repository_dispatch` event (event-type: `agent-assembly-release-published`) after the upstream GitHub Release is created and aasm-* binaries are uploaded. Listening for the dispatch guarantees the binaries exist when this workflow runs, eliminating the race that the previous tag-push trigger was vulnerable to. The publish job's guard is updated from `github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')` to `github.event_name == 'repository_dispatch'` to match the new model. Refs AAASM-2342, AI-agent-assembly/agent-assembly#842. --- .github/workflows/release-python.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 92b1f91..46975a4 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -1,9 +1,12 @@ name: Release Python SDK on: - push: - tags: - - 'v*.*.*' + # Triggered by agent-assembly's `notify-downstream` job after the upstream + # GitHub Release is created and aasm-* binaries are uploaded. Payload: + # { "release_tag": "v0.0.1-alpha.4" } + # See AI-agent-assembly/agent-assembly PR #842 for the dispatcher side. + repository_dispatch: + types: [agent-assembly-release-published] workflow_dispatch: inputs: dry-run: @@ -243,8 +246,8 @@ jobs: - build-macos-arm64 - build-macos-x86_64 runs-on: ubuntu-latest - # Publish only on actual tag push; workflow_dispatch is dry-run. - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') + # Publish only when fired by agent-assembly's repository_dispatch; workflow_dispatch is dry-run. + if: github.event_name == 'repository_dispatch' environment: name: pypi url: https://pypi.org/p/agent-assembly From b90b8526d0cb91b648f45153c70513a0d2a00233 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Tue, 2 Jun 2026 23:00:30 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20(release):=20Pin=20aas?= =?UTF-8?q?m=20binary=20download=20to=20dispatch=20payload's=20release=5Ft?= =?UTF-8?q?ag?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dispatch payload from agent-assembly contains a `release_tag` field identifying the exact upstream release to pull binaries from. Pin each `gh release download` call to that tag via `--tag "$AASM_TAG"` so a release that happens to ship while this workflow is mid-flight cannot swap the binaries underneath us. For `workflow_dispatch` (dry-run) the env var is empty and the tag argument is omitted, preserving the existing "latest release" behavior for local validation runs. The `AASM_TAG` env var is set from `github.event.client_payload.release_tag` following the workflow-injection-safe env-then-shell pattern. Refs AAASM-2342. --- .github/workflows/release-python.yml | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 46975a4..a271868 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -67,9 +67,15 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | mkdir -p agent_assembly/bin - if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then + # repository_dispatch supplies the exact upstream tag in the + # client_payload; workflow_dispatch (dry-run) leaves it empty + # and falls back to the latest release. + TAG_ARG=() + if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi + if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then mv agent_assembly/bin/aasm-linux-x86_64 agent_assembly/bin/aasm chmod +x agent_assembly/bin/aasm echo "Bundled aasm binary into wheel" @@ -127,9 +133,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | mkdir -p agent_assembly/bin - if gh release download --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ 2>/dev/null; then + # See linux-x86_64 above for tag-pinning rationale. + TAG_ARG=() + if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi + if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ 2>/dev/null; then mv agent_assembly/bin/aasm-linux-aarch64 agent_assembly/bin/aasm chmod +x agent_assembly/bin/aasm echo "Bundled aasm binary into wheel" @@ -179,9 +189,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | mkdir -p agent_assembly/bin - if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ 2>/dev/null; then + # See linux-x86_64 above for tag-pinning rationale. + TAG_ARG=() + if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi + if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ 2>/dev/null; then mv agent_assembly/bin/aasm-macos-arm64 agent_assembly/bin/aasm chmod +x agent_assembly/bin/aasm echo "Bundled aasm binary into wheel" @@ -214,9 +228,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} + AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | mkdir -p agent_assembly/bin - if gh release download --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then + # See linux-x86_64 above for tag-pinning rationale. + TAG_ARG=() + if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi + if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then mv agent_assembly/bin/aasm-macos-x86_64 agent_assembly/bin/aasm chmod +x agent_assembly/bin/aasm echo "Bundled aasm binary into wheel" From a5919e27a90b203187445cfbd9b5c0c8e9dc1ff4 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Tue, 2 Jun 2026 23:02:20 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20(release):=20Drop=20si?= =?UTF-8?q?lent=20gh-release-download=20fallback=20for=20aasm=20binaries?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously each platform's Stage step swallowed download failures via `2>/dev/null` and emitted an `::warning::` while the workflow continued and shipped a wheel without the bundled aasm binary. That was the race-mitigation tactic for the tag-push trigger model: aasm-* binaries might not have been uploaded yet when the python-sdk tag arrived. The new repository_dispatch trigger fires only after agent-assembly's release job has finished uploading every aasm-* binary, so failure to download an expected platform binary is now a genuine error and must abort the wheel build instead of producing a silently-degraded artifact. Each Stage step now: - runs under `set -euo pipefail` so non-zero exits abort the step - calls `gh release download` without the `2>/dev/null` swallow - drops the `if/else` warning fallback branch Refs AAASM-2342. --- .github/workflows/release-python.yml | 60 +++++++++++++++------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index a271868..ea3a20a 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -69,19 +69,20 @@ jobs: AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | + set -euo pipefail mkdir -p agent_assembly/bin # repository_dispatch supplies the exact upstream tag in the # client_payload; workflow_dispatch (dry-run) leaves it empty # and falls back to the latest release. TAG_ARG=() if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi - if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then - mv agent_assembly/bin/aasm-linux-x86_64 agent_assembly/bin/aasm - chmod +x agent_assembly/bin/aasm - echo "Bundled aasm binary into wheel" - else - echo "::warning::aasm-linux-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary" - fi + # Hard error on missing binary: the repository_dispatch event + # guarantees the aasm-* assets exist on the upstream release + # at this point (see AI-agent-assembly/agent-assembly#842). + gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-x86_64' --dir agent_assembly/bin/ + mv agent_assembly/bin/aasm-linux-x86_64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" - name: Build wheel uses: PyO3/maturin-action@v1 with: @@ -135,17 +136,18 @@ jobs: AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | + set -euo pipefail mkdir -p agent_assembly/bin # See linux-x86_64 above for tag-pinning rationale. TAG_ARG=() if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi - if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ 2>/dev/null; then - mv agent_assembly/bin/aasm-linux-aarch64 agent_assembly/bin/aasm - chmod +x agent_assembly/bin/aasm - echo "Bundled aasm binary into wheel" - else - echo "::warning::aasm-linux-aarch64 not yet published by $AASM_REPO — wheel will ship without bundled binary" - fi + # Hard error on missing binary: the repository_dispatch event + # guarantees the aasm-* assets exist on the upstream release + # at this point (see AI-agent-assembly/agent-assembly#842). + gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-linux-aarch64' --dir agent_assembly/bin/ + mv agent_assembly/bin/aasm-linux-aarch64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" - name: Build wheel uses: PyO3/maturin-action@v1 with: @@ -191,17 +193,18 @@ jobs: AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | + set -euo pipefail mkdir -p agent_assembly/bin # See linux-x86_64 above for tag-pinning rationale. TAG_ARG=() if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi - if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ 2>/dev/null; then - mv agent_assembly/bin/aasm-macos-arm64 agent_assembly/bin/aasm - chmod +x agent_assembly/bin/aasm - echo "Bundled aasm binary into wheel" - else - echo "::warning::aasm-macos-arm64 not yet published by $AASM_REPO — wheel will ship without bundled binary" - fi + # Hard error on missing binary: the repository_dispatch event + # guarantees the aasm-* assets exist on the upstream release + # at this point (see AI-agent-assembly/agent-assembly#842). + gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-arm64' --dir agent_assembly/bin/ + mv agent_assembly/bin/aasm-macos-arm64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" - name: Install protoc (macOS) run: brew install protobuf - name: Build wheel @@ -230,17 +233,18 @@ jobs: AASM_REPO: ${{ env.AASM_BINARY_RELEASE_REPO }} AASM_TAG: ${{ github.event.client_payload.release_tag }} run: | + set -euo pipefail mkdir -p agent_assembly/bin # See linux-x86_64 above for tag-pinning rationale. TAG_ARG=() if [ -n "$AASM_TAG" ]; then TAG_ARG=(--tag "$AASM_TAG"); fi - if gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ 2>/dev/null; then - mv agent_assembly/bin/aasm-macos-x86_64 agent_assembly/bin/aasm - chmod +x agent_assembly/bin/aasm - echo "Bundled aasm binary into wheel" - else - echo "::warning::aasm-macos-x86_64 not yet published by $AASM_REPO — wheel will ship without bundled binary" - fi + # Hard error on missing binary: the repository_dispatch event + # guarantees the aasm-* assets exist on the upstream release + # at this point (see AI-agent-assembly/agent-assembly#842). + gh release download "${TAG_ARG[@]}" --repo "$AASM_REPO" --pattern 'aasm-macos-x86_64' --dir agent_assembly/bin/ + mv agent_assembly/bin/aasm-macos-x86_64 agent_assembly/bin/aasm + chmod +x agent_assembly/bin/aasm + echo "Bundled aasm binary into wheel" - name: Install protoc (macOS) run: brew install protobuf - name: Build wheel