sdk-actions
Shared GitHub actions and workflows for Braintrust SDK repositories.
Releases
Copy the canonical release workflow template from .github/workflows/release-<LANG>.yml and adapt it for your repository. Using it as an upstream source will enable the implemented release process to receive improvements in the future.
Pre-requisites
-
JS: needs
packageManager(orpnpm_version) ≥ pnpm 11.8 (forpnpm sbom) -
Ruby: needs a
rake buildthat emits exactly onepkg/*.gem.
Adopting the release workflow
-
Copy the canonical template for your language into your repo's
.github/workflows/: -
Configure an OIDC trusted publisher on your registry (npm / PyPI / RubyGems) for this repo + workflow (and environment, if gated) — publishing and attestation use it, no long-lived tokens. (Adapting an existing workflow rather than copying? Also grant the publish job
attestations: write.) - Adapt the marked sections — version source, package/gem name, working directory, and so on; the template's comments flag exactly what changes.
- Record the upstream version you based it on — the sdk-actions ref (commit SHA or tag) your copy was adapted from, e.g. in a header comment. Tracking it lets you (or an agent) diff your copy against a newer upstream template and sync changes deliberately as this repo evolves.
- Bump the pinned SHA to pick up action changes. Because each action is self-contained, one SHA bump pulls in the whole updated chain.
Available release actions
The release workflow is composed from these actions. You normally get them via the template, but they're listed here as a reference for customizing it — each is self-contained (calls no other action in this repo), so a single SHA pin pulls in everything it needs.
| Action | Purpose |
|---|---|
release/lang/ruby/publish |
Build the gem, generate + sign a CycloneDX SBOM and SLSA build provenance, push to RubyGems (OIDC trusted publishing), create the GitHub release (SBOM attached), and notify |
release/lang/ruby/validate |
Check out the SHA, set up Ruby, read the version, validate the release (tag/branch/metadata), lint + build + generate SBOM (pre-gate check) |
release/lang/js/publish |
Build, generate + sign a CycloneDX SBOM, publish to npm (OIDC trusted publishing + provenance), create the GitHub release (SBOM attached), and notify |
release/lang/js/validate |
Check out the SHA, set up Node + package manager, read the version, validate the release (channel/tag/branch/metadata), build + generate SBOM (pre-gate check) |
release/lang/py/publish |
Build, generate + sign a CycloneDX SBOM, publish to PyPI (OIDC trusted publishing + PEP 740 attestations), create the GitHub release (SBOM attached), and notify |
release/lang/py/validate |
Check out the SHA, set up uv + Python, read the version, validate the release (tag/branch/metadata, PyPI availability), build + generate SBOM (pre-gate check) |
release/notify-pending |
Post the pre-approval job summary and Slack notification |
release/prepare |
Fetch the PR list and release notes |
Inputs and outputs are documented in each action.yml. Reference an action by
commit SHA:
- uses: braintrustdata/sdk-actions/actions/release/prepare@<sha>Developing
actions/ is generated from templates/ — never edit it by hand. See
CONTRIBUTING.md for the template system and workflow.