From c634f0e962507714202615f3fa65bfa448348f45 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 23 Dec 2025 15:50:44 +0000
Subject: [PATCH 1/5] Initial plan


From 4e652a8cf69ccd314aaf697d0e0bfa5fd14a0a3d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 23 Dec 2025 16:00:17 +0000
Subject: [PATCH 2/5] Add PyPI publishing steps with non-dev filtering

- Add pypi-username and pypi-password secrets to _publish.yml
- Add step to filter non-dev Python artifacts using jq action
- Add PyPI publishing step using twine before GitHub release
- Support dry-run mode for PyPI publishing
- Pass PyPI secrets from publish.yml workflow

Co-authored-by: phlax <454682+phlax@users.noreply.github.com>
---
 .github/workflows/_publish.yml | 61 ++++++++++++++++++++++++++++++++++
 .github/workflows/publish.yml  |  2 ++
 2 files changed, 63 insertions(+)

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index b0590543ae..51c58268ff 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -8,6 +8,8 @@ on:
     secrets:
       app-id:
       app-key:
+      pypi-username:
+      pypi-password:
 
     inputs:
       actions-version:
@@ -357,6 +359,65 @@ jobs:
           Size
         input: ${{ steps.artifact-sizes.outputs.value }}
 
+    - name: Filter non-dev Python artifacts
+      id: python-artifacts-nondev
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      uses: envoyproxy/toolshed/gh-actions/jq@9b8b4d2e89c1f649303636b913f184e9f8324937
+      with:
+        input: ${{ steps.artifacts.outputs.output }}
+        filter: |
+          to_entries
+          | map(select(.key | startswith("python:")))
+          | map(select(.key | contains("-dev-") | not))
+          | map(.value.path)
+    - name: >-
+        Publish Python packages to PyPI
+        ${{ (inputs.event == 'pull_request' || inputs.dry-run)
+             && '(dry-run)'
+             || ''  }}
+      id: pypi-publish
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      env:
+        TWINE_USERNAME: ${{ secrets.pypi-username }}
+        TWINE_PASSWORD: ${{ secrets.pypi-password }}
+        TWINE_NON_INTERACTIVE: "1"
+      run: |
+        set -e
+        echo "Installing pants and dependencies..."
+        
+        # Get list of non-dev artifacts
+        ARTIFACTS='${{ steps.python-artifacts-nondev.outputs.value }}'
+        echo "Non-dev artifacts to publish:"
+        echo "$ARTIFACTS" | jq -r '.[]'
+        
+        if [ "$ARTIFACTS" = "[]" ] || [ -z "$ARTIFACTS" ]; then
+          echo "No non-dev artifacts to publish"
+          exit 0
+        fi
+        
+        # Install twine
+        pip install twine
+        
+        # Publish to PyPI
+        if [ "${{ inputs.event == 'pull_request' || inputs.dry-run }}" = "true" ]; then
+          echo "DRY RUN: Would publish the following packages:"
+          echo "$ARTIFACTS" | jq -r '.[]' | while read -r artifact; do
+            echo "  - $artifact"
+            twine check "$artifact"
+          done
+        else
+          echo "Publishing packages to PyPI..."
+          echo "$ARTIFACTS" | jq -r '.[]' | while read -r artifact; do
+            echo "Publishing $artifact..."
+            twine upload --non-interactive "$artifact"
+          done
+          echo "All packages published successfully"
+        fi
+
     - name: >-
         Publish actions release
         ${{ (inputs.event == 'pull_request' || inputs.dry-run)
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2151dc6d75..4ebf59257e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,6 +23,8 @@ jobs:
     secrets:
       app-id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
       app-key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
+      pypi-username: ${{ secrets.PYPI_USERNAME }}
+      pypi-password: ${{ secrets.PYPI_PASSWORD }}
     uses: ./.github/workflows/_publish.yml
     with:
       committer-email: "140627008+publish-envoy[bot]@users.noreply.github.com"

From b5b068c5dcd1d31a67d0cd70ff753112664dc8d7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 23 Dec 2025 16:02:05 +0000
Subject: [PATCH 3/5] Refine PyPI publishing implementation

- Fix dry-run conditional logic in bash script
- Add setup-python step for PyPI publishing
- Correct comment about installing dependencies

Co-authored-by: phlax <454682+phlax@users.noreply.github.com>
---
 .github/workflows/_publish.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index 51c58268ff..803a9fec67 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -372,6 +372,13 @@ jobs:
           | map(select(.key | startswith("python:")))
           | map(select(.key | contains("-dev-") | not))
           | map(.value.path)
+    - name: Setup Python for PyPI publishing
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
+      with:
+        python-version: "3.12"
     - name: >-
         Publish Python packages to PyPI
         ${{ (inputs.event == 'pull_request' || inputs.dry-run)
@@ -387,7 +394,7 @@ jobs:
         TWINE_NON_INTERACTIVE: "1"
       run: |
         set -e
-        echo "Installing pants and dependencies..."
+        echo "Preparing to publish Python packages to PyPI..."
         
         # Get list of non-dev artifacts
         ARTIFACTS='${{ steps.python-artifacts-nondev.outputs.value }}'
@@ -403,7 +410,8 @@ jobs:
         pip install twine
         
         # Publish to PyPI
-        if [ "${{ inputs.event == 'pull_request' || inputs.dry-run }}" = "true" ]; then
+        DRY_RUN="${{ inputs.event == 'pull_request' || inputs.dry-run }}"
+        if [ "$DRY_RUN" = "true" ]; then
           echo "DRY RUN: Would publish the following packages:"
           echo "$ARTIFACTS" | jq -r '.[]' | while read -r artifact; do
             echo "  - $artifact"

From 9c174c98a3adf058025459329178b4bbbf6078ba Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 23 Dec 2025 16:06:43 +0000
Subject: [PATCH 4/5] Fix code review issues

- Fix inputs['dry-run'] reference syntax (hyphenated input names need brackets)
- Replace while-read loops with for loops to properly propagate errors
- Ensures twine check/upload failures are caught by set -e

Co-authored-by: phlax <454682+phlax@users.noreply.github.com>
---
 .github/workflows/_publish.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index 803a9fec67..b134bfa24f 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -381,7 +381,7 @@ jobs:
         python-version: "3.12"
     - name: >-
         Publish Python packages to PyPI
-        ${{ (inputs.event == 'pull_request' || inputs.dry-run)
+        ${{ (inputs.event == 'pull_request' || inputs['dry-run'])
              && '(dry-run)'
              || ''  }}
       id: pypi-publish
@@ -410,16 +410,16 @@ jobs:
         pip install twine
         
         # Publish to PyPI
-        DRY_RUN="${{ inputs.event == 'pull_request' || inputs.dry-run }}"
+        DRY_RUN="${{ inputs.event == 'pull_request' || inputs['dry-run'] }}"
         if [ "$DRY_RUN" = "true" ]; then
           echo "DRY RUN: Would publish the following packages:"
-          echo "$ARTIFACTS" | jq -r '.[]' | while read -r artifact; do
+          for artifact in $(echo "$ARTIFACTS" | jq -r '.[]'); do
             echo "  - $artifact"
             twine check "$artifact"
           done
         else
           echo "Publishing packages to PyPI..."
-          echo "$ARTIFACTS" | jq -r '.[]' | while read -r artifact; do
+          for artifact in $(echo "$ARTIFACTS" | jq -r '.[]'); do
             echo "Publishing $artifact..."
             twine upload --non-interactive "$artifact"
           done

From 997127371dad95bd4ea4258e4939a95c7ec1c936 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 23 Dec 2025 16:08:25 +0000
Subject: [PATCH 5/5] Use consistent inputs.dry-run syntax

- Change inputs['dry-run'] to inputs.dry-run for consistency
- Matches the syntax used throughout the rest of the file

Co-authored-by: phlax <454682+phlax@users.noreply.github.com>
---
 .github/workflows/_publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index b134bfa24f..cd86da89ee 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -381,7 +381,7 @@ jobs:
         python-version: "3.12"
     - name: >-
         Publish Python packages to PyPI
-        ${{ (inputs.event == 'pull_request' || inputs['dry-run'])
+        ${{ (inputs.event == 'pull_request' || inputs.dry-run)
              && '(dry-run)'
              || ''  }}
       id: pypi-publish
@@ -410,7 +410,7 @@ jobs:
         pip install twine
         
         # Publish to PyPI
-        DRY_RUN="${{ inputs.event == 'pull_request' || inputs['dry-run'] }}"
+        DRY_RUN="${{ inputs.event == 'pull_request' || inputs.dry-run }}"
         if [ "$DRY_RUN" = "true" ]; then
           echo "DRY RUN: Would publish the following packages:"
           for artifact in $(echo "$ARTIFACTS" | jq -r '.[]'); do