Releasing lgtmaybe (maintainers)¶
Releases are automated by release-please (.github/workflows/release-please.yml).
It reads the conventional commits merged to main and keeps a "Release PR"
open that bumps the version and regenerates CHANGELOG.md. Merging that PR is
the release: it cuts the tag and the GitHub release, then the same run publishes —
PyPI via trusted publishing (OIDC) and the GHCR image + floating v1 tag
via the reusable .github/workflows/release.yml (built-in GITHUB_TOKEN). No
publish tokens live in secrets.
Commit messages must follow conventional-commit format — .github/workflows/commitlint.yml
enforces it on PRs so release-please can compute the next version.
The only human-only pieces:
One-time setup¶
- On PyPI, add a trusted publisher for this repo: workflow
release-please.yml, environmentpypi(noPYPI_TOKENsecret — auth is via OIDC). The publish job is inline in that workflow on purpose: PyPI trusted publishing requires the OIDCjob_workflow_refto equal the top-level workflow. - Create the repo environment named
pypi(Settings → Environments). - After the first release, set the GHCR package visibility to public so
consumers can
docker pullthe image (Packages → lgtmaybe → Package settings). - First release only: from the GitHub release page, tick "Publish this Action
to the GitHub Marketplace", accept the terms, and pick the categories
code-reviewandcontinuous-integration.
Each release¶
- Merge feature/fix PRs to
mainusing conventional-commit messages (feat:,fix:,feat!:/BREAKING CHANGE:for a major bump). - release-please opens or updates the Release PR automatically. Review the proposed version + changelog, then merge it to publish.
- To (re)publish an existing tag to PyPI without a new release, run the
release-pleaseworkflow via workflow_dispatch with the tag name.