Skip to content

chore: Use shared action to build and publish to allow manual releases. #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kinyoklion merged 10 commits into from
Jul 18, 2025
Merged

chore: Use shared action to build and publish to allow manual releases. #132

kinyoklion merged 10 commits into from
Jul 18, 2025

Conversation

@kinyoklion
Copy link
Member

@kinyoklion kinyoklion commented Jul 18, 2025

Summary

Allow manual package publish and provenance.
Working build: https://github.com/launchdarkly/observability-sdk/actions/runs/16377594673/job/46281314100
Published package: https://pypi.org/project/launchdarkly-observability/

How did you test this change?

Are there any deployment considerations?

@kinyoklion kinyoklion marked this pull request as ready for review July 18, 2025 18:32
@kinyoklion kinyoklion requested a review from a team as a code owner July 18, 2025 18:32
cursor[bot]
cursor bot reviewed Jul 18, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Provenance Hash Mismatch in SDK Packages

The provenance hashes for the Python SDK packages are invalid. The action calculates hashes on an initial build, but then removes the dist directory and rebuilds the packages during the poetry publish --build step. This results in the recorded hashes not matching the actual published artifacts, breaking the provenance integrity.

.github/actions/publish-python-sdk/action.yml#L45-L65

observability-sdk/.github/actions/publish-python-sdk/action.yml

Lines 45 to 65 in b552db5

- name: Build Python plugin
shell: bash
working-directory: ${{ inputs.workspace-path }}
run: |
make build
- name: Hash build files for provenance
id: package-hashes
shell: bash
working-directory: ${{ inputs.workspace-path }}/dist
run: |
echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Publish package distributions to PyPI
working-directory: ${{ inputs.workspace-path }}
shell: bash
run: |
poetry config pypi-token.pypi ${{ env.PYPI_AUTH_TOKEN }}
rm -rf dist
poetry publish --build --no-interaction

Fix in CursorFix in Web

Was this report helpful? Give feedback by reacting with 👍 or 👎

@kinyoklion kinyoklion merged commit 96256e5 into main Jul 18, 2025
25 checks passed
@kinyoklion kinyoklion deleted the rlamb/shared-python-build branch July 18, 2025 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Vadman97 Vadman97 Vadman97 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kinyoklion @Vadman97