[Devops] Branching Strategy - Phase 3

[lowlydba]

Goal

Build and publish packages to the right destinations using version strings computed by Phase 2. Each workflow has one trigger and one destination. No version logic lives here.

Trigger × destination matrix

Trigger	Workflow	Packages	Version	Destination
Push to vnext	p3-dev-builds-ca	affected pkgs only	<last-published>+dev.N	CA dev repo
Push to main (no <major>/<minor> bump)	p3-main-ca-release	affected pkgs only	<major>.<minor>.<next-patch>	CA release repo
<major>/<minor> bump on main, overture-schema	p3-pypi-publish	overture-schema only	<major>.<minor>.0	Public PyPI
<major>/<minor> bump on main, supplemental pkg	p3-supplemental-ca-release	the bumped pkg	<major>.<minor>.0	CA release repo only

CodeArtifact: domain overture-pypi / account 505071440022 / region us-west-2.

Tasks

p3-dev-builds-ca

• Trigger: push to vnext
• Detect affected packages (changed since last dev build).
• Use p2-version-compute to get <last-published>+dev.<run_number> per affected pkg.
• Build + publish to CA dev repo.
• CDP consumers pin >=<last-published>+dev.0 per package to track latest.

p3-main-ca-release

• Trigger: push to main with no <major>/<minor> changes.
• Detect affected packages.
• Use p2-version-compute to get <major>.<minor>.<next-patch> per affected pkg.
• Build + publish to CA release repo.
• Continuous deployment; no GH Release, no PyPI.

p3-pypi-publish

• Trigger: GH Release published event (emitted by p2-release-trigger).
• Build overture-schema only.
• Publish to public PyPI via Trusted Publishing (OIDC, no long-lived tokens) + PyPI attestations.
• Pattern follows overturemaps-py publish workflow.
• Prereq: PyPI Trusted Publisher OIDC must be configured in PyPI project settings before this workflow lands.

p3-supplemental-ca-release

• Trigger: <major>/<minor> bump commit to any supplemental package on main.
• Build + publish that package at <major>.<minor>.0 to CA release repo.
• Never published to PyPI.

p3-docs

Update docs/versioning.md with:

• Trigger × destination matrix (above)
• CDP dev build consumption pattern (>=<last-published>+dev.0)
• PyPI Trusted Publisher setup notes

Contributor-facing changes

• Push to vnext → affected packages auto-publish to CA dev repo as <version>+dev.N.
• Push to main (no version bump) → affected packages auto-publish to CA release repo as <major>.<minor>.<next-patch>.
• Bump overture-schema <major>/<minor> on main → public PyPI publish + GH Release fire automatically.
• Bump a supplemental package's <major>/<minor> on main → CA release repo only, never PyPI.
• Internal consumers (CDP): pin >=<last-published>+dev.0 to track vnext dev builds; naturally upgrade to release versions when published.

Definition of done

• PyPI Trusted Publisher OIDC configured
• p3-dev-builds-ca workflow live
• p3-main-ca-release workflow live
• p3-pypi-publish workflow live, tested against a real GH Release
• p3-supplemental-ca-release workflow live
• docs/versioning.md updated