Sync from private release

.github/workflows/back-sync-release-to-main.yaml

@@ -27,24 +27,14 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      private-repo: ${{ inputs.private-repo }}
-      private-repo-main-branch: ${{ inputs.private-repo-main-branch }}
-      private-repo-release-branch: ${{ inputs.private-repo-release-branch }}
-    secrets: inherit
-
   back-sync-release-to-main:
     name: Back Sync
-    needs: env-config
     if: >
-      github.repository == needs.env-config.outputs.PRIVATE_REPO &&
+      github.repository == (inputs.private-repo || github.repository) &&
       (
         github.event_name != 'workflow_dispatch' ||
         (github.event_name == 'workflow_dispatch' &&
-         github.ref_name == needs.env-config.outputs.PRIVATE_REPO_RELEASE_BRANCH)
+         github.ref_name == (inputs.private-repo-release-branch || 'release'))
       )
 
     runs-on: ubuntu-latest
@@ -57,9 +47,9 @@ jobs:
         shell: bash
 
     env:
-      PRIVATE_REPO: ${{ needs.env-config.outputs.PRIVATE_REPO }}
-      PRIVATE_REPO_MAIN_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_MAIN_BRANCH }}
-      PRIVATE_REPO_RELEASE_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_RELEASE_BRANCH }}
+      PRIVATE_REPO: ${{ inputs.private-repo || github.repository }}
+      PRIVATE_REPO_MAIN_BRANCH: ${{ inputs.private-repo-main-branch || 'main' }}
+      PRIVATE_REPO_RELEASE_BRANCH: ${{ inputs.private-repo-release-branch || 'release' }}
       MANAGEMENT_TOKEN: ${{ secrets.MANAGEMENT_TOKEN }}
 
     steps:

.github/workflows/build-and-test.yaml

@@ -52,37 +52,17 @@ on:
         type: string
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      package-name: ${{ inputs.package-name }}
-      package-slug: ${{ inputs.package-slug }}
-      private-repo: ${{ inputs.private-repo }}
-      private-repo-main-branch: ${{ inputs.private-repo-main-branch }}
-      private-repo-release-branch: ${{ inputs.private-repo-release-branch }}
-      private-repo-incoming-branch: ${{ inputs.private-repo-incoming-branch }}
-      public-repo: ${{ inputs.public-repo }}
-      public-repo-release-branch: ${{ inputs.public-repo-release-branch }}
-      public-repo-incoming-branch: ${{ inputs.public-repo-incoming-branch }}
-      build-smoke-python-version: ${{ inputs.build-smoke-python-version }}
-      test-matrix-json: ${{ inputs.test-matrix-json }}
-      version-check-python-version: ${{ inputs.version-check-python-version }}
-      publish-python-version: ${{ inputs.publish-python-version }}
-      publish-on-release: ${{ inputs.publish-on-release }}
-
   build-and-smoke-test:
     name: Smoke Build
-    needs: env-config
     if: >
-      github.repository == needs.env-config.outputs.PRIVATE_REPO
+      github.repository == inputs.private-repo
 
     strategy:
       fail-fast: false
       matrix:
         include:
         - os: ubuntu-latest
-          python-version: ${{ needs.env-config.outputs.BUILD_SMOKE_PYTHON_VERSION }}
+          python-version: ${{ inputs.build-smoke-python-version }}
 
     runs-on: ${{ matrix.os }}
 
@@ -91,10 +71,10 @@ jobs:
         shell: bash
 
     env:
-      PACKAGE_NAME: ${{ needs.env-config.outputs.PACKAGE_NAME }}
-      PACKAGE_SLUG: ${{ needs.env-config.outputs.PACKAGE_SLUG }}
-      PRIVATE_REPO: ${{ needs.env-config.outputs.PRIVATE_REPO }}
-      PRIVATE_REPO_MAIN_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_MAIN_BRANCH }}
+      PACKAGE_NAME: ${{ inputs.package-name }}
+      PACKAGE_SLUG: ${{ inputs.package-slug }}
+      PRIVATE_REPO: ${{ inputs.private-repo }}
+      PRIVATE_REPO_MAIN_BRANCH: ${{ inputs.private-repo-main-branch }}
 
     steps:
     - name: Checkout Code
@@ -152,13 +132,12 @@ jobs:
 
   run-tests:
     name: Test Matrix
-    needs: env-config
     if: >
-      github.repository == needs.env-config.outputs.PRIVATE_REPO
+      github.repository == inputs.private-repo
 
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.env-config.outputs.TEST_MATRIX_JSON) }}
+      matrix: ${{ fromJson(inputs.test-matrix-json) }}
 
     runs-on: ${{ matrix.os }}
 
@@ -167,10 +146,10 @@ jobs:
         shell: bash
 
     env:
-      PACKAGE_NAME: ${{ needs.env-config.outputs.PACKAGE_NAME }}
-      PACKAGE_SLUG: ${{ needs.env-config.outputs.PACKAGE_SLUG }}
-      PRIVATE_REPO: ${{ needs.env-config.outputs.PRIVATE_REPO }}
-      PRIVATE_REPO_MAIN_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_MAIN_BRANCH }}
+      PACKAGE_NAME: ${{ inputs.package-name }}
+      PACKAGE_SLUG: ${{ inputs.package-slug }}
+      PRIVATE_REPO: ${{ inputs.private-repo }}
+      PRIVATE_REPO_MAIN_BRANCH: ${{ inputs.private-repo-main-branch }}
 
     steps:
     - name: Checkout Code

.github/workflows/workflow-orchestrator.yaml → .github/workflows/central-orchestrator.yaml

@@ -132,6 +132,7 @@ jobs:
       CTX_HEAD_REF: ${{ github.head_ref || '' }}
       CTX_REF_NAME: ${{ github.ref_name || '' }}
       CTX_PR_MERGED: ${{ github.event.pull_request.merged || false }}
+      WORKFLOW_REF: ${{ github.workflow_ref || '' }}
 
     steps:
     - name: Show Event Context
@@ -170,6 +171,16 @@ jobs:
         REPOSITORY_NAME="${CALLER_REPOSITORY:-$GITHUB_REPOSITORY}"
         PR_MERGED="${CALLER_PR_MERGED:-$CTX_PR_MERGED}"
 
+        if [ "$REPOSITORY_NAME" = "SETT-Centre-Data-and-AI/workflows" ] || [ "$REPOSITORY_NAME" = "SETT-Centre-Data-and-AI/workflows_development" ]; then
+          if [ -n "$WORKFLOW_REF" ] && [[ "$WORKFLOW_REF" == *"@release" ]]; then
+            echo "ERROR: Internal workflow repositories must call their local entry workflow."
+            echo "Internal repos must use local paths: uses: ./.github/workflows/<entrypoint>.yaml"
+            echo "Not: uses: SETT-Centre-Data-and-AI/workflows/.github/workflows/<workflow>.yaml@release"
+            echo "Actual workflow_ref: $WORKFLOW_REF"
+            exit 1
+          fi
+        fi
+
         RUN_BUILD_AND_TEST=false
         RUN_ENSURE_RELEASE_SOURCE=false
         RUN_PRE_RELEASE_VERSION_CHECK=false
@@ -180,7 +191,9 @@ jobs:
         if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
           if [ "$REPOSITORY_NAME" = "$PRIVATE_REPO" ] && [ "$REF_NAME" = "$PRIVATE_REPO_RELEASE_BRANCH" ]; then
             RUN_BACK_SYNC=true
-            RUN_SYNC_TO_PUBLIC=true
+            if [ -n "$PUBLIC_REPO" ] && [ "$PUBLIC_REPO" != "$PRIVATE_REPO" ]; then
+              RUN_SYNC_TO_PUBLIC=true
+            fi
           fi
           if [ "$REPOSITORY_NAME" = "$PUBLIC_REPO" ] && [ "$REF_NAME" = "$PUBLIC_REPO_RELEASE_BRANCH" ] && [ "$PUBLISH_ON_RELEASE" = "true" ]; then
             RUN_PUBLISH_TO_PYPI=true
@@ -202,7 +215,9 @@ jobs:
 
             if [ "$EVENT_ACTION" = "closed" ] && [ "$PR_MERGED" = "true" ] && [ "$HEAD_REF" = "$PRIVATE_REPO_MAIN_BRANCH" ]; then
               RUN_BACK_SYNC=true
-              RUN_SYNC_TO_PUBLIC=true
+              if [ -n "$PUBLIC_REPO" ] && [ "$PUBLIC_REPO" != "$PRIVATE_REPO" ]; then
+                RUN_SYNC_TO_PUBLIC=true
+              fi
             fi
           fi
 
@@ -312,4 +327,5 @@ jobs:
       public-repo: ${{ needs.env-config.outputs.PUBLIC_REPO }}
       public-repo-release-branch: ${{ needs.env-config.outputs.PUBLIC_REPO_RELEASE_BRANCH }}
       publish-python-version: ${{ needs.env-config.outputs.PUBLISH_PYTHON_VERSION }}
+      publish-on-release: ${{ needs.env-config.outputs.PUBLISH_ON_RELEASE }}
     secrets: inherit

.github/workflows/config.yaml

@@ -105,7 +105,7 @@ env:
   PRIVATE_REPO_INCOMING_BRANCH: ${{ inputs.private-repo-incoming-branch || 'incoming_from_public' }}  # mirrors incoming from public
 
   # Public Repo
-  PUBLIC_REPO: ${{ inputs.public-repo || 'SETT-Centre-Data-and-AI/workflows' }}
+  PUBLIC_REPO: ${{ inputs.public-repo }}
   PUBLIC_REPO_INCOMING_BRANCH: ${{ inputs.public-repo-incoming-branch || 'incoming_from_private' }}  # mirrors incoming from private
   PUBLIC_REPO_RELEASE_BRANCH: ${{ inputs.public-repo-release-branch || 'release' }}                 # when PR closed, trigger PyPI publish
 
@@ -126,7 +126,7 @@ env:
   TEST_MATRIX_JSON: ${{ inputs.test-matrix-json || '' }}
   VERSION_CHECK_PYTHON_VERSION: ${{ inputs.version-check-python-version || '3.12' }}
   PUBLISH_PYTHON_VERSION: ${{ inputs.publish-python-version || '3.13' }}
-  PUBLISH_ON_RELEASE_RAW: ${{ inputs.publish-on-release || vars.PUBLISH_ON_RELEASE || 'true' }}
+  PUBLISH_ON_RELEASE_RAW: ${{ inputs.publish-on-release || vars.PUBLISH_ON_RELEASE || 'false' }}
 # =================
 # End Manual Config
 # =================

.github/workflows/ensure-release-source.yaml

@@ -30,33 +30,21 @@ on:
         type: string
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      private-repo: ${{ inputs.private-repo }}
-      private-repo-main-branch: ${{ inputs.private-repo-main-branch }}
-      private-repo-release-branch: ${{ inputs.private-repo-release-branch }}
-      public-repo: ${{ inputs.public-repo }}
-      public-repo-release-branch: ${{ inputs.public-repo-release-branch }}
-      public-repo-incoming-branch: ${{ inputs.public-repo-incoming-branch }}
-
   ensure-release-source:
     name: Validate Source
-    needs: env-config
     runs-on: ubuntu-latest
 
     defaults:
       run:
         shell: bash
 
     env:
-      PRIVATE_REPO: ${{ needs.env-config.outputs.PRIVATE_REPO }}
-      PRIVATE_REPO_MAIN_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_MAIN_BRANCH }}
-      PRIVATE_REPO_RELEASE_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_RELEASE_BRANCH }}
-      PUBLIC_REPO: ${{ needs.env-config.outputs.PUBLIC_REPO }}
-      PUBLIC_REPO_RELEASE_BRANCH: ${{ needs.env-config.outputs.PUBLIC_REPO_RELEASE_BRANCH }}
-      PUBLIC_REPO_INCOMING_BRANCH: ${{ needs.env-config.outputs.PUBLIC_REPO_INCOMING_BRANCH }}
+      PRIVATE_REPO: ${{ inputs.private-repo }}
+      PRIVATE_REPO_MAIN_BRANCH: ${{ inputs.private-repo-main-branch }}
+      PRIVATE_REPO_RELEASE_BRANCH: ${{ inputs.private-repo-release-branch }}
+      PUBLIC_REPO: ${{ inputs.public-repo }}
+      PUBLIC_REPO_RELEASE_BRANCH: ${{ inputs.public-repo-release-branch }}
+      PUBLIC_REPO_INCOMING_BRANCH: ${{ inputs.public-repo-incoming-branch }}
 
     steps:
     - name: Show PR Context

.github/workflows/pre-release-version-check.yaml

@@ -14,15 +14,8 @@ on:
         type: string
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      version-check-python-version: ${{ inputs.version-check-python-version }}
-
   check-version-bump:
     name: Check Version
-    needs: env-config
 
     runs-on: ubuntu-latest
 
@@ -31,7 +24,7 @@ jobs:
         shell: bash
 
     env:
-      PYTHON_VERSION: ${{ needs.env-config.outputs.VERSION_CHECK_PYTHON_VERSION }}
+      PYTHON_VERSION: ${{ inputs.version-check-python-version }}
 
     steps:
     - name: Show PR context
@@ -52,6 +45,9 @@ jobs:
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 
+    - name: Install version parsing dependency
+      run: python -m pip install packaging
+
     - name: Check version bumped vs release
       env:
         BASE_SHA: ${{ github.event.pull_request.base.sha }}
@@ -123,9 +119,18 @@ jobs:
         print(f"Base (release) version: {base_version}")
         print(f"Head (PR) version:     {head_version}")
 
-        if base_version == head_version:
+        from packaging import version
+
+        try:
+            base_v = version.parse(base_version)
+            head_v = version.parse(head_version)
+        except Exception as e:
+            print(f"ERROR: Could not parse versions: {e}", file=sys.stderr)
+            sys.exit(1)
+
+        if head_v <= base_v:
             print(
-                f"ERROR: Version has not been bumped (still {head_version}). "
+                f"ERROR: Version must be increased. Current: {base_version}, proposed: {head_version}. "
                 "You probably need to run 'cz bump'.",
                 file=sys.stderr,
             )

.github/workflows/publish-to-pypi.yaml

@@ -29,28 +29,16 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      package-name: ${{ inputs.package-name }}
-      package-slug: ${{ inputs.package-slug }}
-      public-repo: ${{ inputs.public-repo }}
-      public-repo-release-branch: ${{ inputs.public-repo-release-branch }}
-      publish-python-version: ${{ inputs.publish-python-version }}
-      publish-on-release: ${{ inputs.publish-on-release }}
-
   publish-to-pypi:
     name: Build and Publish
-    needs: env-config
     if: > # in public repo, and called by orchestrator or run manually on release
-      github.repository == needs.env-config.outputs.PUBLIC_REPO &&
+      github.repository == (inputs.public-repo || 'SETT-Centre-Data-and-AI/workflows') &&
       (
         github.event_name != 'workflow_dispatch' ||
         (github.event_name == 'workflow_dispatch' &&
-         github.ref_name == needs.env-config.outputs.PUBLIC_REPO_RELEASE_BRANCH)
+         github.ref_name == (inputs.public-repo-release-branch || 'release'))
       ) &&
-      needs.env-config.outputs.PUBLISH_ON_RELEASE == 'true'
+      (inputs.publish-on-release || 'false') == 'true'
 
     runs-on: ubuntu-latest
     permissions:
@@ -59,12 +47,12 @@ jobs:
 
     env:
       # From shared config
-      PACKAGE_NAME: ${{ needs.env-config.outputs.PACKAGE_NAME }}
-      PACKAGE_SLUG: ${{ needs.env-config.outputs.PACKAGE_SLUG }}
-      PUBLIC_REPO: ${{ needs.env-config.outputs.PUBLIC_REPO }}
-      PUBLIC_REPO_RELEASE_BRANCH: ${{ needs.env-config.outputs.PUBLIC_REPO_RELEASE_BRANCH }}
+      PACKAGE_NAME: ${{ inputs.package-name }}
+      PACKAGE_SLUG: ${{ inputs.package-slug }}
+      PUBLIC_REPO: ${{ inputs.public-repo || 'SETT-Centre-Data-and-AI/workflows' }}
+      PUBLIC_REPO_RELEASE_BRANCH: ${{ inputs.public-repo-release-branch || 'release' }}
       # Publish config
-      PYTHON_VERSION: ${{ needs.env-config.outputs.PUBLISH_PYTHON_VERSION }}
+      PYTHON_VERSION: ${{ inputs.publish-python-version || '3.13' }}
       PYPI_USERNAME: __token__
 
     steps:

.github/workflows/self-orchestrator.yaml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   call-local-orchestrator:
     name: Orchestrate
-    uses: ./.github/workflows/workflow-orchestrator.yaml
+    uses: ./.github/workflows/central-orchestrator.yaml
     with:
       event-name: ${{ github.event_name }}
       event-action: ${{ github.event.action || '' }}
@@ -35,6 +35,7 @@ jobs:
       public-repo-release-branch: release
       public-repo-incoming-branch: incoming_from_private
       build-smoke-python-version: '3.13'
+      test-matrix-json: '{"include":[{"os":"ubuntu-latest","python-version":"3.13"}]}'
       version-check-python-version: '3.13'
       publish-python-version: '3.13'
       publish-on-release: 'false'

.github/workflows/sync-from-public.yaml

@@ -33,20 +33,10 @@ on:
         required: true
 
 jobs:
-  env-config:
-    name: Resolve Config
-    uses: ./.github/workflows/config.yaml
-    with:
-      private-repo: ${{ inputs.private-repo || '' }}
-      private-repo-main-branch: ${{ inputs.private-repo-main-branch || '' }}
-      private-repo-incoming-branch: ${{ inputs.private-repo-incoming-branch || '' }}
-      public-repo: ${{ inputs.public-repo || '' }}
-
   sync-from-public:
     name: Sync Private
-    needs: env-config
 
-    if: github.repository == needs.env-config.outputs.PRIVATE_REPO
+    if: github.repository == (inputs.private-repo || github.repository)
 
     runs-on: ubuntu-latest
 
@@ -56,11 +46,11 @@ jobs:
 
     env:
       # From shared config
-      PRIVATE_REPO: ${{ needs.env-config.outputs.PRIVATE_REPO }}
-      PRIVATE_REPO_MAIN_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_MAIN_BRANCH }}
-      PRIVATE_REPO_INCOMING_BRANCH: ${{ needs.env-config.outputs.PRIVATE_REPO_INCOMING_BRANCH }}
+      PRIVATE_REPO: ${{ inputs.private-repo || github.repository }}
+      PRIVATE_REPO_MAIN_BRANCH: ${{ inputs.private-repo-main-branch || 'main' }}
+      PRIVATE_REPO_INCOMING_BRANCH: ${{ inputs.private-repo-incoming-branch || 'incoming_from_public' }}
 
-      PUBLIC_REPO: ${{ needs.env-config.outputs.PUBLIC_REPO }}
+      PUBLIC_REPO: ${{ inputs.public-repo || 'SETT-Centre-Data-and-AI/workflows' }}
       MANAGEMENT_TOKEN: ${{ secrets.MANAGEMENT_TOKEN }}
 
       PUBLIC_BRANCH: ${{ inputs.public_branch || github.event.inputs.public_branch }}