Publish workflow

[matin]

Summary by CodeRabbit

• New Features

  • Introduced an automated workflow for publishing Python packages to PyPI upon release.

• Dependency Updates

  • Updated version constraint for requests-oauthlib to allow versions below 3.0.0.

[coderabbitai]

Walkthrough

This pull request introduces a new GitHub Actions workflow file, publish.yml, which automates the publishing of a Python package to PyPI upon the release of a new version. The workflow is triggered by the release event and includes steps for checking out the code, setting up Python, preparing the environment, building the package, and publishing it. Additionally, the pyproject.toml file is updated to broaden the version constraint for the requests-oauthlib dependency, allowing versions up to but not including 3.0.0.

Changes

File	Change Summary
.github/workflows/publish.yml	New workflow added to automate publishing to PyPI on release events.
pyproject.toml	Updated requests-oauthlib dependency version constraint from >=1.3.1,<2.0.0 to >=1.3.1,<3.0.0.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GitHub Actions
    participant Python Package Index

    User->>GitHub Actions: Trigger release event
    GitHub Actions->>GitHub Actions: Checkout code
    GitHub Actions->>GitHub Actions: Setup Python 3.13
    GitHub Actions->>GitHub Actions: Run setup-uv action
    GitHub Actions->>GitHub Actions: Build package
    GitHub Actions->>Python Package Index: Publish package

Loading

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (c3e3ced) to head (ca75d7f).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #82   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           34        34           
  Lines         1292      1292           
=========================================
  Hits          1292      1292           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between de386a5 and ca75d7f.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/publish.yml (1 hunks)
• pyproject.toml (1 hunks)

🔇 Additional comments (5)

.github/workflows/publish.yml (4)

3-5: LGTM! Appropriate trigger configuration.

The workflow is correctly configured to trigger only on release publications, which is the ideal trigger for PyPI package publishing.

---

10-14: LGTM! Secure environment and permissions configuration.

The workflow follows security best practices:

• Uses dedicated environment for PyPI deployments
• Implements minimal OIDC token permissions
• Links to the correct package URL

---

29-30: LGTM! Secure publishing configuration.

Using the official PyPA action with a stable version tag is the recommended approach for PyPI publishing.

---

23-27: Verify the setup-uv action exists.

The workflow references a local action ./.github/actions/setup-uv. Please ensure this action exists and is properly configured.

✅ Verification successful

Local setup-uv action exists and is properly configured

The .github/actions/setup-uv action exists and is correctly set up. It's a composite action that wraps the official astral-sh/setup-uv@v4 action with configurable caching support.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if setup-uv action exists
if [ -f ".github/actions/setup-uv/action.yml" ]; then
    echo "setup-uv action exists"
    cat ".github/actions/setup-uv/action.yml"
else
    echo "setup-uv action is missing"
fi

Length of output: 457

pyproject.toml (1)

11-11: Verify compatibility with requests-oauthlib 2.x.

While broadening the version constraint allows for newer versions, please ensure compatibility with requests-oauthlib 2.x series, especially since the requests dependency is constrained to <3.0.0.

✅ Verification successful

Version constraint update appears safe

The codebase has minimal dependency on requests-oauthlib, using only OAuth1Session from the package in a single file (garth/sso.py). The current constraints in pyproject.toml show good alignment:

• requests: >=2.0.0,<3.0.0
• requests-oauthlib: >=1.3.1,<3.0.0

Since OAuth1Session is a stable feature and the usage is straightforward, allowing requests-oauthlib 2.x while keeping requests <3.0.0 is a reasonable change that maintains compatibility.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check changelog or release notes for breaking changes
gh api repos/requests/requests-oauthlib/releases | jq -r '.[].body' | grep -i "breaking"

# Verify if any issues mention compatibility problems
gh api search/issues -f q='repo:requests/requests-oauthlib is:issue label:compatibility' | jq '.items[].title'

Length of output: 373

---

Script:

#!/bin/bash
# Let's check the actual dependencies in the codebase to understand the usage
rg -l "requests_oauthlib" --type py

# Check imports and usage patterns
rg "from requests_oauthlib|import requests_oauthlib" -A 2

# Look for any requirements files that might have additional constraints
fd "requirements.*\.txt$|pyproject\.toml$" --exec cat {}

Length of output: 2018

[coderabbitai]

💡 Codebase verification

🛠️ Refactor suggestion

Consider using a stable Python version

The project requires Python >=3.10 and explicitly supports Python 3.12. Since Python 3.13 is still in development (alpha/beta), it's recommended to use Python 3.12 which is the latest stable version that meets the project's requirements.

-          python-version: "3.13"
+          python-version: "3.12"

🔗 Analysis chain

Consider using a stable Python version.

Python 3.13 is currently in development and may not be stable enough for production use. Consider using Python 3.12 which is the latest stable version.

-          python-version: "3.13"
+          python-version: "3.12"

---

The initial check confirmed Python 3.12 support, but let's verify if there are any specific version constraints in the project configuration that might affect the choice of Python version.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if package supports Python 3.12
rg "Programming Language :: Python :: 3.12" pyproject.toml

Length of output: 106

---

Script:

#!/bin/bash
# Check if there are any Python version constraints in pyproject.toml
rg "python.*=.*" pyproject.toml

# Check if there are any Python version constraints in requirements files
fd requirements.txt --exec cat {}

Length of output: 98

[matin]

3.13 is now stable

[coderabbitai]

@matin, thank you for the update. If Python 3.13 is now stable, then using it in the workflow is appropriate.

---

✏️ Learnings added

Learnt from: matin
PR: matin/garth#82
File: .github/workflows/publish.yml:19-21
Timestamp: 2024-12-11T07:00:46.505Z
Learning: Python 3.13 is now stable.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.