From 7f5ff5ce3107f9f5ebca630f04a2a391852c0650 Mon Sep 17 00:00:00 2001
From: shivasurya <s.shivasurya@gmail.com>
Date: Mon, 19 Jan 2026 22:57:17 -0500
Subject: [PATCH] fix(ci): restrict PyPI publish to release events and manual
 triggers

Changes the PyPI publishing workflow to run only on:
1. Release published events (not drafts) - using 'release: types: [published]'
2. Manual workflow_dispatch with version input

Removes the 'push: tags:' trigger that ran on any tag push.

This provides better control over when PyPI packages are published:
- Releases can be prepared as drafts without triggering publish
- Only finalized releases trigger automatic publishing
- Manual override available via workflow_dispatch when needed

Updated version detection logic:
- Extracts version from github.event.release.tag_name for releases
- Strips 'v' prefix if present
- Falls back to workflow_dispatch version input
- Errors if neither source is available

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/pypi-publish.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 0340c2b9..a6fe9a8a 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -1,9 +1,8 @@
 name: Publish to PyPI
 
 on:
-  push:
-    tags:
-      - 'v*'
+  release:
+    types: [published]
   workflow_dispatch:
     inputs:
       version:
@@ -57,19 +56,20 @@ jobs:
         with:
           python-version: '3.11'
 
-      - name: Get version from tag
+      - name: Get version from release or input
         id: version
         shell: bash
         run: |
           if [[ "${{ github.event.inputs.version }}" != "" ]]; then
             # Manual workflow_dispatch with version input
             VERSION="${{ github.event.inputs.version }}"
-          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            # Tag push
-            VERSION=${GITHUB_REF#refs/tags/v}
+          elif [[ "${{ github.event.release.tag_name }}" != "" ]]; then
+            # Release published event - strip 'v' prefix if present
+            VERSION="${{ github.event.release.tag_name }}"
+            VERSION=${VERSION#v}
           else
-            # Fallback for pull_request
-            VERSION=$(python -c "import sys; sys.path.insert(0, 'python-sdk'); from codepathfinder import __version__; print(__version__)")
+            echo "Error: No version source found. This workflow should be triggered by release publish or manual dispatch."
+            exit 1
           fi
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Version: $VERSION"