Skip to content

CI hygiene: split deploy job + dedicated env, skip CI on docs-only changes#332

Merged
ksuderman merged 2 commits into
mainfrom
split-publish-job
May 20, 2026
Merged

CI hygiene: split deploy job + dedicated env, skip CI on docs-only changes#332
ksuderman merged 2 commits into
mainfrom
split-publish-job

Conversation

@nuwang
Copy link
Copy Markdown
Contributor

@nuwang nuwang commented May 20, 2026
edited
Loading

Two unrelated CI tweaks bundled together.

1. Tighten trusted-publishing blast radius (follow-up to #330). ping @nsoranzo

Addresses #330 (comment).

  • Split deploy.yaml into build_packages (no special permissions, uploads the sdist/wheel as an artifact) and publish (downloads and uploads). Only publish requests id-token: write, so the OIDC token can no longer be minted during the build step.
  • Pin the publish job to a dedicated pypi GitHub environment so the trusted-publisher binding (and any future protection rules / environment-scoped secrets) is isolated to that environment rather than the whole repo.

PyPI and Test PyPI trusted-publisher configuration already updated.

2. Skip integration CI on docs-only changes

Adds paths-ignore for docs/**, **.md, **.rst, and LICENSE on every trigger in integration.yaml and integration-cloud.yaml. Doc-only PRs and pushes no longer burn lint, mock-provider, and cloud-provider test minutes.

nuwang added 2 commits May 20, 2026 23:54
@nuwang
Split deploy workflow into build and publish jobs
d05bcca 
Only the publish job needs `id-token: write`, narrowing the OIDC
trust boundary as suggested in
#330 (comment).
The publish job is also pinned to a `pypi` GitHub environment so
maintainers can scope the trusted-publisher binding (and any future
protection rules / secrets) to that environment.
@nuwang
Skip integration runs on docs-only changes
f1c5ff1 
Adds paths-ignore for docs/, *.md, *.rst, and LICENSE on the
pull_request, push, and pull_request_target triggers in the two
integration workflows. Avoids spending lint, mock, and cloud
test minutes on changes that can't affect runtime behavior.
@nuwang nuwang changed the title Tighten trusted-publishing blast radius: split build/publish + dedicated env CI hygiene: split deploy job + dedicated env, skip CI on docs-only changes May 20, 2026
@nuwang nuwang requested a review from ksuderman May 20, 2026 18:34
@nuwang nuwang mentioned this pull request May 20, 2026
Open
ksuderman
ksuderman approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ksuderman ksuderman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ksuderman ksuderman merged commit 4d7999a into main May 20, 2026
3 checks passed
@ksuderman ksuderman deleted the split-publish-job branch May 20, 2026 19:47
@nsoranzo
Copy link
Copy Markdown
Contributor

nsoranzo commented May 20, 2026

Thanks @nuwang !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ksuderman ksuderman ksuderman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nuwang @nsoranzo @ksuderman