fix: Use workflow_dispatch instead of workflow_call for OIDC compatibility

[Aaron ("AJ") Steers (aaronsteers)]

Summary

Fixes the /prerelease command which was failing with OIDC attestation mismatch:

Certificate's Build Config URI (.../prerelease-command.yml@refs/heads/main) 
does not match expected Trusted Publisher (pypi_publish.yml @ airbytehq/PyAirbyte)

The root cause: when using workflow_call, PyPI's OIDC attestation sees the caller workflow (prerelease-command.yml) rather than the called workflow (pypi_publish.yml).

The fix: use the-actions-org/workflow-dispatch@v4 to trigger pypi_publish.yml via workflow_dispatch instead. This makes pypi_publish.yml the top-level workflow, so the OIDC attestation matches the trusted publisher config.

Changes:

• prerelease-command.yml: Replace uses: ./.github/workflows/pypi_publish.yml with workflow-dispatch action
• pypi_publish.yml: Add workflow_dispatch.inputs (mirroring existing workflow_call.inputs)
• Update publish condition to handle both boolean and string 'true' for the publish input

Review & Testing Checklist for Human

• Verify GITHUB_CI_WORKFLOW_TRIGGER_PAT secret exists with permissions to trigger workflows
• Review the ref: main parameter - This is intentional: the workflow runs from main (for OIDC) but builds code from the PR via git_ref input
• Consider pinning workflow-dispatch action to SHA - Currently using @v4 tag, unlike other actions in the repo which use pinned SHAs
• Test end-to-end after merge by commenting /prerelease on a test PR - this is the only way to verify the OIDC fix works

Notes

• The workflow_call trigger is preserved in pypi_publish.yml for backwards compatibility (though currently unused)
• The publish input uses string type for workflow_dispatch (API limitation) but boolean for workflow_call, hence the dual condition check

Link to Devin run: https://app.devin.ai/sessions/c86d36be59664129af00617d0e66bc4d
Requested by: AJ Steers (Aaron ("AJ") Steers (@aaronsteers))

Summary by CodeRabbit

• Chores
  • Enhanced release workflow automation with improved status reporting for published releases.
  • Added workflow configuration inputs for more flexible and reliable release management.
  • Implemented completion verification for publish operations to ensure successful deployment.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin Please refresh my memory on this one. IIRC:
1. We may already have a PR but I don't recall why it wasn't merged.
2. The destination-side fix (probably in the CDK) is to not care if a namespace is provided as null. (Difference between _not_ being sent or being sent _as null_ is a JSON delivery nuance.)

Thread URL: https://airbytehq-team.slack.com/archives/C08BHPUMEPJ/p1765591320408679

Quote of conversation (https://airbytehq-team.slack.com/archives/C06FZ238P8W/p1765588766040519?thread_ts=1765588766.040519&cid=C06FZ238P8W):
> From Biplove Jaisi
> Hi everyone :wave:

> I’m trying to use PyAirbyte to move data from an S3 source to an Iceberg destination. The sync from the source to DuckDB cache works fine, but when loading into Iceberg, I’m getting an error saying that the namespace cannot be null.

> The issue is that the S3 source doesn’t seem to have any field or config option to populate the namespace, so I’m not sure how to handle this requirement on the destination side.

> Has anyone faced this before or found a workaround? Any guidance would be really appreciated. Thanks in advance! :pray:
> Posted on December 13, 2025 at 01:19 AM

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1765671538-fix-prerelease-oidc' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1765671538-fix-prerelease-oidc'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte
• /prerelease - Builds and publishes a prerelease version to PyPI

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

The changes reconfigure the prerelease workflow to dispatch the pypi_publish workflow using a dedicated workflow-dispatch action instead of inline usage, adding input parameters for git reference and version override, and introducing a blocking wait mechanism with timeout for the dispatched workflow to complete.

Changes

Cohort / File(s)	Summary
Workflow dispatch refactoring .github/workflows/prerelease-command.yml	Replaces inline workflow invocation with the-actions-org/workflow-dispatch@v4 action to trigger pypi_publish.yml on main branch. Passes git_ref, version_override, and publish inputs to dispatched workflow. Introduces blocking wait (timeout: 30m) with output exposure (workflow-conclusion, workflow-url). Updates PR status comments to link published workflow view and reference publish workflow URL on failure. Renames build step to "Trigger Publish Workflow".
Workflow dispatch inputs .github/workflows/pypi_publish.yml	Adds three inputs to workflow_dispatch trigger: git_ref, version_override, and publish (default: 'false'). Extends publish job condition to accept both boolean and string representations (inputs.publish == true or inputs.publish == 'true'). Updates inline comment to reflect string handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify input/output mapping is correct between the two workflows and outputs are properly propagated
• Confirm timeout value (30m) is appropriate for the publish workflow
• Check boolean/string handling in conditional logic accounts for both trigger types (manual dispatch vs. tag)
• Validate URL construction and formatting in PR comment templates with dynamic workflow reference

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1765671538-fix-prerelease-oidc

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3869ac4 and b5413aa.

📒 Files selected for processing (2)

• .github/workflows/prerelease-command.yml (3 hunks)
• .github/workflows/pypi_publish.yml (2 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}