Skip to content

fix: post-0.1.0 packaging, dependency, and release-workflow cleanup#5

Merged
muralx merged 2 commits into
mainfrom
sync/oss-fixes-post-0.1.0
May 18, 2026
Merged

fix: post-0.1.0 packaging, dependency, and release-workflow cleanup#5
muralx merged 2 commits into
mainfrom
sync/oss-fixes-post-0.1.0

Conversation

@muralx

@muralx muralx commented May 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

Bundle of fixes and improvements discovered after the 0.1.0 release,
covering packaging, dependency floors, docs, and the CI / release
workflow.

Linked Issue

Changes

Packaging

  • Scope each package's sdist to its own source. The 0.1.0 root sdist
    tarballed the whole monorepo; the adapter sdists carried unrelated
    tests/, demo/, docs/, and dotfiles.
  • Ship the Apache-2.0 LICENSE in adapter wheels (0.1.0 wheels shipped
    none).
  • Derive __version__ from installed package metadata across all three
    packages (was hardcoded to "0.1.0" and would drift on every release).
  • Align adapter pyproject.toml metadata with the SDK (classifiers,
    Repository / Changelog URLs).

Dependencies

  • Tighten authplane-fastmcp requirement to fastmcp>=3.2,<4 (was
    >=2.0, which could resolve to a version the adapter can't import —
    the adapter uses the v3 auth surface: RemoteAuthProvider,
    require_scopes).

Docs

  • README "User Guide" link points to an absolute GitHub URL so it
    resolves on PyPI (the relative path 404'd).
  • Correct fastmcp demo port in authplane-fastmcp/demo/README.md
    (8080, not 8090).

CI / release workflow

  • Clone the shared AuthPlane/conformance catalog into $RUNNER_TEMP
    to keep it out of the working tree we tag and publish.
  • Mint a short-lived release-bot App token for the atomic tag/branch
    push step in release.yml (default GITHUB_TOKEN is rejected by the
    v* tag ruleset).
  • Fail fast in release.yml when release-bot secrets are missing.

Affected Packages

  • authplane-sdk (root)
  • authplane-mcp
  • authplane-fastmcp
  • None (infra / docs / CI only)

Test Plan

Verified locally before opening this PR:

  • ruff check . — clean
  • ruff format --check . — 85 files formatted
  • pyright — 0 errors
  • pinact run --check — clean
  • Root SDK pytest tests — 433 passed
  • authplane-mcp pytest tests — 27 passed
  • authplane-fastmcp pytest tests — 33 passed
  • python -m build succeeds for all 3 packages
  • twine check dist/* passes for all 6 artifacts
  • Adapter wheels verified to include LICENSE under
    dist-info/licenses/
  • Sdist contents verified scoped (no monorepo bleed; no foreign
    tests/ / demo/ / docs/ in adapter sdists)

CI will re-run all of these plus coverage.

Checklist

  • ruff check . passes
  • ruff format --check . passes
  • pyright passes (SDK root)
  • pytest passes for affected packages
  • Coverage unchanged or improved (≥ 80%) — not run locally; CI gates this
  • Tests added for new functionality — N/A (no new functionality)
  • Documentation updated (if applicable)
  • CHANGELOG.md entry added under [Unreleased] (if user-facing)
  • New workflow actions are SHA-pinned (pinact run after changes)
  • No token values, secrets, or key material in logs or test fixtures

@muralx
fix: post-0.1.0 packaging, dependency, and release-workflow cleanup
d8dda50 
Bundles fixes and improvements discovered after the 0.1.0 release.

Packaging:
- Scope each package's sdist to its own source (no monorepo tarball; no
  bleed of tests/, demo/, docs/ between adapter sdists).
- Ship Apache-2.0 LICENSE in adapter wheels.
- Derive __version__ from installed package metadata across all three
  packages (no more hardcoded, drift-prone constant).
- Align adapter pyproject.toml metadata with the SDK (classifiers,
  Repository / Changelog URLs).

Dependencies:
- Tighten authplane-fastmcp floor to fastmcp>=3.2,<4 (was >=2.0, which
  could resolve to fastmcp 2.x and crash at import — the adapter uses
  the v3 auth surface).

Docs:
- Use absolute GitHub URL for the User Guide link so it resolves on PyPI.
- Correct the fastmcp demo port (8080, not 8090).

CI / release workflow:
- Clone the shared conformance catalog into $RUNNER_TEMP to keep it out
  of the working tree we tag and publish.
- Mint a short-lived release-bot App token for the atomic tag/branch
  push step in release.yml (default GITHUB_TOKEN is rejected by the v*
  tag ruleset).
- Fail fast in release.yml when release-bot secrets are missing.
@muralx muralx requested a review from a team as a code owner May 17, 2026 15:11
@muralx muralx requested a review from diegobes May 17, 2026 15:11
@muralx
docs(authplane-mcp): enforce scope in README quickstart example
bbf0e2b 
The Quickstart used a bare @mcp.tool() while passing scopes=[...] to
authplane_mcp_auth, implying enforcement that never happened.
@muralx muralx requested a review from RobertoIskandarani May 18, 2026 12:03
RobertoIskandarani
RobertoIskandarani approved these changes May 18, 2026
View reviewed changes

@RobertoIskandarani RobertoIskandarani left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@muralx muralx merged commit ec39fff into main May 18, 2026
13 checks passed
@muralx muralx deleted the sync/oss-fixes-post-0.1.0 branch May 18, 2026 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RobertoIskandarani RobertoIskandarani RobertoIskandarani approved these changes

@diegobes diegobes Awaiting requested review from diegobes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@muralx @RobertoIskandarani