chore(ci): add workflow to publish dev Python SDK

[tothandras]

NOTE:
Remove --dry-run when Python SDK interface is in a good state.

Summary by CodeRabbit

• Chores
  • Added a new Python SDK beta release workflow to automate alpha-tagged pre-release publishing via GitHub Actions, with reproducible build and caching support.
  • Uses explicit action versions and secure token handling for controlled releases.
  • Removed the prior automated Python SDK generation and pull-request creation workflow to simplify the release pipeline.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces the Dagger-based Python SDK generation workflow by deleting .github/workflows/sdk-python.yaml and adding a new Nix-based beta release workflow .github/workflows/sdk-python-dev-release.yaml that computes a short commit SHA and runs a Nix publish pipeline to push an alpha pre-release to PyPI.

Changes

Cohort / File(s)	Summary
New beta release workflow .github/workflows/sdk-python-dev-release.yaml	Adds a "Python SDK Beta Release" GitHub Actions workflow (triggers: workflow_dispatch, push to main). Steps: checkout, compute 12-char short SHA (exposed as output), set up Nix, restore Nix store cache (layered keys), and run nix develop ... publish-python-sdk with env vars PY_SDK_RELEASE_TAG=alpha, COMMIT_SHORT_SHA, and PYPI_TOKEN from secrets. Uses explicit action versions and token handling.
Removed generation workflow .github/workflows/sdk-python.yaml	Removes the previous "Python SDK" workflow that used Dagger to generate the Python SDK and created a pull request via create-pull-request. Included DAGGER_VERSION env and PR automation steps.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Nix as Nix Tooling
    participant PyPI as PyPI

    note over GH,Repo #E8F6FF: New beta release workflow
    GH->>Repo: checkout code
    GH->>Repo: compute short SHA (12 chars) -> output `COMMIT_SHORT_SHA`
    GH->>Nix: setup Nix (action)
    GH->>Nix: restore Nix store cache (layered keys)
    GH->>Nix: run `nix develop ... publish-python-sdk` (env: `PY_SDK_RELEASE_TAG=alpha`, `COMMIT_SHORT_SHA`, `PYPI_TOKEN`)
    Nix->>PyPI: publish pre-release package (uses `PYPI_TOKEN`)
    PyPI-->>GH: publish result (success/failure)

Loading

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Dagger as Dagger (removed)

    note over GH,Repo #FFF3E0: Old generation workflow (removed)
    GH->>Repo: checkout code
    GH->>Dagger: run `generate python-sdk -o api/client/python` (with cloud token & `DAGGER_VERSION`)
    Dagger->>Repo: write generated SDK
    GH->>GH: create pull request from `openapi/python-sdk` (create-pull-request)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Pay attention to:
  • Nix publish invocation and environment variable wiring (COMMIT_SHORT_SHA, PY_SDK_RELEASE_TAG, PYPI_TOKEN)
  • Cache key composition and restore step
  • Confirm removal of the Dagger workflow doesn't leave stale automation or docs references

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'chore(ci): add workflow to publish dev Python SDK' directly and accurately summarizes the main change in the changeset. The PR adds a new GitHub Actions workflow file (sdk-python-dev-release.yaml) that publishes a development Python SDK, and removes an older generation workflow. The title is concise, specific, and clearly communicates the primary purpose of the changes to someone reviewing the git history.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/ci-python-sdk

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8ac23e and 9830d0d.

⛔ Files ignored due to path filters (3)

• api/client/python/Makefile is excluded by !api/client/**
• api/client/python/openmeter/__init__.py is excluded by !api/client/**
• api/client/python/openmeter/_commit.py is excluded by !api/client/**

📒 Files selected for processing (2)

• .github/workflows/sdk-python-dev-release.yaml (1 hunks)
• .github/workflows/sdk-python.yaml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/sdk-python.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/sdk-python-dev-release.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Artifacts / Container image
• GitHub Check: Artifacts / Benthos Collector Container image
• GitHub Check: Code Generators
• GitHub Check: Migration Checks
• GitHub Check: Lint
• GitHub Check: Test
• GitHub Check: Build
• GitHub Check: Analyze (go)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/sdk-python-dev-release.yaml (1)

6-10: Consider the intended trigger frequency.

The workflow triggers on every push to main, which could result in a dev release for each commit. Is this the desired behavior, or should it be workflow_dispatch only or run on a schedule? If frequent releases are intended, that's fine—just wanted to flag it for confirmation.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 711b47d and 434c0c3.

⛔ Files ignored due to path filters (2)

• api/client/python/Makefile is excluded by !api/client/**
• api/client/python/openmeter/_version.py is excluded by !api/client/**

📒 Files selected for processing (2)

• .github/workflows/sdk-python-dev-release.yaml (1 hunks)
• .github/workflows/sdk-python.yaml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/sdk-python.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Repository Scan
• GitHub Check: Artifacts / Benthos Collector Container image
• GitHub Check: Artifacts / Container image
• GitHub Check: Lint
• GitHub Check: Build
• GitHub Check: Migration Checks
• GitHub Check: Code Generators
• GitHub Check: Test
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

.github/workflows/sdk-python-dev-release.yaml (1)

50-54: No issues found—version handling is intentional and working correctly.

The 1.0.0a0 base version in the workflow is the intended pattern for dev releases. The Makefile's publish-python-sdk target dynamically generates openmeter/_version.py and updates pyproject.toml using the PY_SDK_RELEASE_VERSION env var passed from the workflow. The placeholder 0.0.0 in the source files gets overwritten at build time, and the SHA ensures each dev build is uniquely versioned. This is a solid approach for pre-release versioning.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

The checkout will fail on push events due to empty github.head_ref.

github.head_ref is only populated for pull request events and will be empty for push events. When this workflow triggers on push to main (line 8-10), the checkout will attempt to use an empty ref, which will fail.

Remove the ref line to default to ${{ github.sha }}, or explicitly use that:

       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          ref: ${{ github.head_ref }}
           persist-credentials: false

Alternatively, if you specifically need the head_ref for some reason, constrain the trigger to workflow_dispatch only (remove the push trigger).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	ref: ${{ github.head_ref }}
	persist-credentials: false
	- name: Checkout repository
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

🤖 Prompt for AI Agents

In .github/workflows/sdk-python-dev-release.yaml around lines 18 to 22, the
checkout step uses ref: ${{ github.head_ref }} which is empty on push events and
will cause checkout to fail; remove the ref line so actions/checkout defaults to
the commit (or replace it with ref: ${{ github.sha }}), or if you truly need
head_ref restrict the workflow triggers to PR events or workflow_dispatch only;
update the step accordingly and ensure persist-credentials remains unchanged.