Implement CI/CD workflows for automated testing and PyPI publishing + API key authentication

[jon-myers]

Implement CI/CD Workflows and API Key Authentication

Overview

Currently, the PyPI publishing workflow is manual and error-prone. We need to implement automated GitHub Actions workflows for testing and publishing, plus add API key authentication support to the IDTAP client for CI/CD scenarios.

Problems with Current Workflow

1. Manual Testing: Test suite and PyPI uploads are run manually
2. No PR Validation: PRs are not automatically tested against TestPyPI
3. Manual Version Management: Version increments are done manually
4. Authentication Dependency: Relies on Google OAuth, unsuitable for CI/CD
5. Error-Prone Process: Easy to forget steps or make mistakes

Proposed Solution

Phase 1: GitHub Actions Workflows

Workflow 1: PR Testing (test-pr.yml)

Triggers: On PR creation and updates to any PR
Steps:

1. Run full test suite (pytest idtap/tests/)
2. Build package (python -m build)
3. Upload to TestPyPI with PR-specific version suffix (e.g., 0.1.12-pr13.1)
4. Post TestPyPI link as PR comment
5. Validate installation from TestPyPI works

Benefits:

• Catch issues before merge
• Validate PyPI packaging works
• Test actual installation process
• Provide immediate feedback to contributors

Workflow 2: Production Release (release.yml)

Triggers: On merge to main branch
Steps:

1. Run full test suite again
2. Upload current version to TestPyPI (final validation)
3. Auto-increment version number (patch by default)
4. Build package with new version
5. Upload to production PyPI
6. Create git tag
7. Generate GitHub release with changelog

Benefits:

• Fully automated releases
• No manual version management
• Consistent release process
• Automatic documentation

Phase 2: API Key Authentication

Current Limitation

The IDTAP client currently only supports Google OAuth, which requires interactive browser authentication. This doesn't work in CI/CD environments.

Proposed Enhancement

Add API key authentication support to SwaraClient.

Implementation Requirements

1. Server-Side Changes (IDTAP API):

• Add API key generation endpoint
• Add API key authentication middleware
• Add API key management UI for users

2. Client-Side Changes (idtap package):

• Extend SwaraClient.__init__() to accept auth_method parameter
• Add API key authentication in _auth_headers() method
• Update authentication documentation

Implementation Plan

Phase 1: GitHub Actions (Immediate)

Required GitHub Secrets:

1. TESTPYPI_API_TOKEN - TestPyPI API token
2. PYPI_API_TOKEN - Production PyPI API token
3. SWARA_API_KEY - IDTAP API key (Phase 2)

Benefits

For Developers

• Faster feedback: Immediate testing on PR creation
• Confidence: Know changes work before merge
• Less manual work: No more manual version increments

For Project

• Higher quality: Automated testing catches more issues
• Consistent releases: No human error in release process
• Better documentation: Auto-generated changelogs and releases

For Users

• Faster releases: No bottleneck on manual process
• More reliable: Consistent testing and validation
• Clear versioning: Automatic semantic versioning

Success Criteria

Phase 1 Complete When:

• Every PR automatically runs tests and uploads to TestPyPI
• Main branch merges automatically create production releases
• Version management is fully automated
• No manual PyPI uploads needed

Phase 2 Complete When:

• CI/CD can authenticate to IDTAP API without OAuth
• Integration tests can run in GitHub Actions
• API key management is available in UI
• Documentation covers both authentication methods

Priority

High - This significantly improves development workflow and release reliability.

Labels

enhancement, ci/cd, infrastructure, authentication