Files
wehub-resource-sync 9740bc64c9
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been skipped
npm packages / tools/ruview-mcp (node 22) (push) Failing after 1s
nvsim-server → ghcr.io / build-and-publish (push) Failing after 1s
ruview-swarm CI guard / tests (full+train) (push) Failing after 2s
Bench Regression Guard / bench compile-verify (--no-run) (push) Failing after 0s
Bench Regression Guard / bench fast-run (informational, non-gating) (push) Has been skipped
Firmware CI / Verify version.txt matches release tag (push) Has been skipped
Dashboard a11y + cross-browser / a11y (push) Failing after 0s
nvsim Dashboard → GitHub Pages / build-and-deploy (push) Failing after 2s
Firmware CI / Build firmware (esp32s3 / 4mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Failing after 1s
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Failing after 1s
Continuous Deployment / Pre-deployment Checks (push) Has been skipped
Firmware CI / Build firmware (esp32c6 / c6-4mb) (push) Failing after 15s
Firmware CI / Build firmware (esp32s3 / 8mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Failing after 1s
Security Scanning / Security Policy Compliance (push) Failing after 0s
Security Scanning / Dependency Vulnerability Scan (push) Failing after 0s
Security Scanning / Static Application Security Testing (push) Failing after 1s
Security Scanning / Infrastructure Security Scan (push) Failing after 1s
Security Scanning / Secret Scanning (push) Failing after 1s
npm packages / harness/ruview (node 22) (push) Failing after 17s
Security Scanning / License Compliance Scan (push) Failing after 1s
Security Scanning / Container Security Scan (push) Failing after 4s
three.js demos → GitHub Pages / build-and-deploy (push) Failing after 1s
Verify Pipeline Determinism / Verify Pipeline Determinism (3.11) (push) Failing after 1s
Fix-Marker Regression Guard / Verify fix markers (push) Failing after 1s
ADR-115 MQTT integration tests / mqtt-integration (push) Failing after 1s
npm packages / harness/ruview (node 20) (push) Failing after 1s
npm packages / tools/ruview-mcp (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 22) (push) Failing after 1s
BFLD MQTT Integration / cargo test --features mqtt (live mosquitto) (push) Failing after 29s
ruview-swarm CI guard / build train_marl bin (push) Failing after 2s
ruview-swarm CI guard / clippy (-D warnings, --no-deps) (push) Failing after 3s
ruview-swarm CI guard / tests (ruflo) (push) Failing after 1s
ruview-swarm CI guard / tests (train) (push) Failing after 2s
ruview-swarm CI guard / tests (default) (push) Failing after 2s
Point Cloud Viewer → GitHub Pages / build-and-deploy (push) Failing after 8s
ruview-swarm CI guard / ITAR / publish guard (push) Failing after 0s
wifi-densepose sensing-server → Docker Hub + ghcr.io / build · push · smoke-test (push) Failing after 1s
Continuous Deployment / Deploy to Production (push) Has been cancelled
Continuous Deployment / Rollback Deployment (push) Has been cancelled
Continuous Deployment / Post-deployment Monitoring (push) Has been cancelled
Continuous Deployment / Notify Deployment Status (push) Has been cancelled
Continuous Deployment / Deploy to Staging (push) Has been cancelled
Security Scanning / Security Report (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:59:54 +08:00

2.4 KiB
Raw Permalink Blame History

PyPI release runbook — wifi-densepose + ruview

Operations doc for the .github/workflows/pip-release.yml CI workflow.

Auth

The workflow uses one GitHub Actions secret named PYPI_API_TOKEN. It's a project-token issued by the rUv PyPI account with upload scope for both wifi-densepose and ruview.

Refreshing the token

The canonical copy of the token lives in GCP Secret Manager, project cognitum-20260110, entry name PYPI_TOKEN. To push a fresh copy into GitHub Actions:

gcloud secrets versions access latest \
    --secret=PYPI_TOKEN \
    --project=cognitum-20260110 \
  | tr -d '\r\n\xef\xbb\xbf' \
  | gh secret set PYPI_API_TOKEN --repo ruvnet/RuView

The tr step strips any BOM / CRLF that PowerShell pipes or Windows editors may have introduced — without it, twine fails with UnicodeEncodeError: 'latin-1' codec can't encode character ''.

Triggering a release

Two paths:

  • Tag pushgit tag v2.X.Y-pip && git push origin v2.X.Y-pip — publishes the v2 wheel matrix. v1.99.0-pip triggers the tombstone job instead.
  • Manual dispatchgh workflow run pip-release.yml --ref <branch> -f target=v2-wheels -f publish_to=pypi. Use publish_to=testpypi for a dry-run target if a TestPyPI token is also set as TESTPYPI_API_TOKEN.

Release-day sequence

Per ADR-117 §7.3, the tombstone publishes first so it claims the "current" slot in pip's resolver:

  1. git tag v1.99.0-pip && git push origin v1.99.0-pip → tombstone live at https://pypi.org/project/wifi-densepose/1.99.0/
  2. Verify: pip install wifi-densepose==1.99.0; python -c "import wifi_densepose" → ImportError with migration URL.
  3. git tag v2.0.0-pip && git push origin v2.0.0-pip → v2 wheel matrix live at https://pypi.org/project/wifi-densepose/2.0.0/.
  4. (Optional, in lock-step) build + publish a matching ruview release from python/ruview-meta/ so the meta-package version stays pinned to the same wifi-densepose version.

Off-loop manual gates

  • Q3 (ADR-117 §11.3) — generate expected_features_v2.sha256 from the v2 Rust pipeline before any v2 publish.
  • OIDC Trusted Publisher — not used. The workflow is token-based; this is a deliberate choice to keep the secret refresh entirely in GCP. If the project migrates to OIDC later, remove password: from pypa/gh-action-pypi-publish calls and add the publisher registration on pypi.org.