feat: automated release workflow (version check + PyPI publish)

[GabrielBG0]

Summary

• Adds .github/workflows/auto-release.yml — a self-contained release workflow that runs on every push to main
• Removes .github/workflows/release_to_pypi.yml (now redundant)
• Migrates minerva/__init__.py to use importlib.metadata so pyproject.toml is the single source of truth for the version

How it works

1. Version check — reads version from pyproject.toml and compares it against the latest GitHub Release tag using packaging.version. Exits early if the version has not changed or the tag already exists (idempotent).
2. Build — uv build
3. GitHub Release — created via gh release create with auto-generated notes and the built dist artifacts attached.
4. PyPI publish — OIDC trusted publish via pypa/gh-action-pypi-publish.

A concurrency: group: release lock prevents race conditions if two pushes land in quick succession.

To release a new version going forward: bump version in pyproject.toml, push/merge to main — everything else is automatic.

Notes

• minerva/__init__.py now reads __version__ dynamically from the installed package metadata via importlib.metadata. No version string ever needs to be manually updated outside of pyproject.toml.
• release_to_pypi.yml is removed because auto-release.yml covers the full release flow. Releases created via GITHUB_TOKEN do not re-trigger other workflows, so there is no risk of double-publishing.
• The pypi GitHub environment and its OIDC trust configuration remain unchanged.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@GabrielBG0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 59 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8a823ddd-47ab-431c-9c7d-ea9a7b812d0f

📥 Commits

Reviewing files that changed from the base of the PR and between 5055e78 and fc97e5a.

📒 Files selected for processing (2)

• .github/workflows/auto-release.yml
• minerva/__init__.py

📝 Walkthrough

Walkthrough

The PR replaces manual GitHub release triggering with a fully automated release pipeline. On every push to main, a new workflow detects version changes in pyproject.toml, migrates the module to fetch __version__ from importlib.metadata, builds the package, creates a GitHub release with auto-generated notes, and publishes to PyPI.

Changes

Automated Release Pipeline

Layer / File(s)	Summary
Workflow trigger and permissions .github/workflows/auto-release.yml	Configures the workflow to run on pushes to main with contents: write and id-token: write permissions for release creation and OIDC PyPI authentication.
Version detection and release tag lookup .github/workflows/auto-release.yml	Reads the current package version from pyproject.toml, checks whether a corresponding v{version} GitHub release already exists, and fetches the latest release tag for comparison.
Version comparison and conditional gating .github/workflows/auto-release.yml	Normalizes semantic versions by stripping pre-release suffixes (-beta, -alpha, -rc), compares the current version against the latest release using packaging.version.Version, and gates downstream steps on whether the version is newer.
Module version migration and push .github/workflows/auto-release.yml	Conditionally rewrites minerva/__init__.py to derive __version__ from importlib.metadata with a fallback to "unknown", detects file changes via git diff, commits the migration, and pushes back to the repository.
Package build and GitHub release creation .github/workflows/auto-release.yml	Builds the package with uv build, creates a GitHub release with the new version tag, attaches built artifacts, and auto-generates release notes.
PyPI publication .github/workflows/auto-release.yml	Publishes the built distributions to PyPI using pypa/gh-action-pypi-publish with OIDC authentication.
Removed manual release trigger .github/workflows/release_to_pypi.yml (deleted)	The previous release_to_pypi.yml workflow that triggered on GitHub Releases and deployed to PyPI has been removed and replaced by the automated flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• discovery-unicamp/Minerva#107: Prior PR directly refactored the .github/workflows/release_to_pypi.yml file that this PR fully removes and replaces with the new automated release workflow.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding an automated release workflow with version checking and PyPI publishing. It is specific, concise, and directly related to the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description is comprehensive and well-structured, covering the changes, implementation details, and migration notes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/auto-release.yml (1)

28-31: ⚡ Quick win

Consider disabling uv caching in this publish workflow.

astral-sh/setup-uv enables caching by default. For a privileged release/publish job, a poisoned cache could influence the built and published artifacts. Disabling the cache here removes that vector at negligible cost.

♻️ Proposed change

       - name: Install uv
         uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
         with:
           python-version: "3.10"
+          enable-cache: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-release.yml around lines 28 - 31, The "Install uv"
step using astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 currently
enables caching by default; disable caching for this privileged release job by
adding the cache parameter to the step (e.g., add under the with: block for the
"Install uv" step — python-version: "3.10" — a cache: false entry) so the action
runs without using or writing a cached UV installation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-release.yml:
- Line 57: The current LATEST assignment uses "gh release list --limit 1" which
picks the most recent release by date, not the highest semver; change the
command that sets the LATEST variable so it fetches all release tag names and
determines the highest semver explicitly (e.g. use "gh release list --json
tagName" to output tag names, pipe through jq to extract tagName, then sort them
by version (sort -V or a semver-aware tool) and pick the last entry). Update the
LATEST variable assignment (the line setting LATEST) to use that pipeline so
LATEST always holds the highest semantic version tag rather than the most
recent-by-date release.
- Around line 69-73: The normalize() helper in auto-release.yml currently
replaces pre-release suffixes like -beta(.N) / -alpha(.N) / -rc(.N) with
b0/a0/rc0, dropping the numeric counter and making Version() treat different
prereleases as equal; update normalize() to preserve the numeric counter (e.g.,
replace -beta(.N)? with bN, -alpha(.N)? with aN, -rc(.N)? with rcN by capturing
the digits and inserting them into the replacement) or remove normalize()
entirely and rely on packaging.version.Version() to parse prerelease suffixes;
look for the normalize function definition to implement the change.
- Around line 31-37: The workflow uses Python 3.10 but the step "Get version
from pyproject.toml" (id: pyproject_version) calls python -c "import tomllib;
...", which will fail because tomllib is available only in Python 3.11+; either
bump the job's python-version to "3.11" (or higher) or change the pyproject
parsing command to use the backport (tomli) under the configured interpreter
(install tomli in the step and replace import tomllib with import tomli) so the
VERSION extraction and echo "version=$VERSION" >> $GITHUB_OUTPUT succeed
reliably.
- Around line 39-49: The workflow currently interpolates
steps.pyproject_version.outputs.version directly into shell and Python string
literals (seen in the tag_check step and the version_check / gh release create
steps), which allows injection; instead export the version into the step's env
(e.g., VERSION=${{ steps.pyproject_version.outputs.version }}) and reference
that runtime env variable in commands—use "gh release view \"$VERSION\"" (or
better, avoid embedding in a Python -c string) and change the python -c usage in
version_check to read os.environ['VERSION'] (or os.getenv) rather than embedding
'${{ ... }}'; apply the same env-passing approach to the gh release create step
so no untrusted content is interpolated into shell/Python literals.

---

Nitpick comments:
In @.github/workflows/auto-release.yml:
- Around line 28-31: The "Install uv" step using
astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 currently enables
caching by default; disable caching for this privileged release job by adding
the cache parameter to the step (e.g., add under the with: block for the
"Install uv" step — python-version: "3.10" — a cache: false entry) so the action
runs without using or writing a cached UV installation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: af1979a0-a606-4814-82ef-bee0c4a2adac

📥 Commits

Reviewing files that changed from the base of the PR and between 6914d1a and 5055e78.

📒 Files selected for processing (2)

• .github/workflows/auto-release.yml
• .github/workflows/release_to_pypi.yml

💤 Files with no reviewable changes (1)

• .github/workflows/release_to_pypi.yml