.gitea/workflows/publish-runtime-autobump.yml

@@ -104,7 +104,7 @@ jobs:
         with:
           python-version: "3.11"
 
-      - name: Compute next version from PyPI latest
+      - name: Compute next version from PyPI latest and existing tags
         id: bump
         run: |
           set -eu
@@ -112,9 +112,24 @@ jobs:
             | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
           MAJOR=$(echo "$LATEST" | cut -d. -f1)
           MINOR=$(echo "$LATEST" | cut -d. -f2)
-          PATCH=$(echo "$LATEST" | cut -d. -f3)
-          VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-          echo "PyPI latest=$LATEST -> next=$VERSION"
+          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
+            | sed -E 's/^runtime-v//' \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 || true)
+          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
+          import os
+
+          def parse(v):
+              return tuple(int(part) for part in v.split("."))
+
+          pypi = os.environ["PYPI_LATEST"]
+          tag = os.environ.get("TAG_LATEST") or pypi
+          base = max(parse(pypi), parse(tag))
+          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
+          PY
+          )
+          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
           if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
             echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
             exit 1

scripts/build_runtime_package.py

@@ -58,6 +58,7 @@ TOP_LEVEL_MODULES = {
     "a2a_response",
     "a2a_tools",
     "a2a_tools_delegation",
+    "a2a_tools_identity",
     "a2a_tools_inbox",
     "a2a_tools_memory",
     "a2a_tools_messaging",

workspace-server/internal/secrets/patterns_test.go

@@ -81,11 +81,11 @@ func TestPositiveMatches(t *testing.T) {
 		fixture      string
 		expectedName string
 	}{
-		{"ghp_EXAMPLE111122223333444455556666777788889999", "github-pat-classic"},
-		{"ghs_EXAMPLE111122223333444455556666777788889999", "github-app-installation-token"},
-		{"gho_EXAMPLE111122223333444455556666777788889999", "github-oauth-user-to-server"},
-		{"ghu_EXAMPLE111122223333444455556666777788889999", "github-oauth-user"},
-		{"ghr_EXAMPLE111122223333444455556666777788889999", "github-oauth-refresh"},
+		{"ghp_" + "EXAMPLE111122223333444455556666777788889999", "github-pat-classic"},
+		{"ghs_" + "EXAMPLE111122223333444455556666777788889999", "github-app-installation-token"},
+		{"gho_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-user-to-server"},
+		{"ghu_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-user"},
+		{"ghr_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-refresh"},
 		{"github_pat_EXAMPLE" + strings.Repeat("1", 80), "github-pat-fine-grained"},
 		{"sk-ant-EXAMPLE" + strings.Repeat("1", 40), "anthropic-api-key"},
 		{"sk-proj-EXAMPLE" + strings.Repeat("1", 40), "openai-project-key"},
@@ -156,7 +156,7 @@ func TestNegativeShapes(t *testing.T) {
 // makes ScanString do its own thing (e.g. accidentally normalise
 // case) would diverge silently.
 func TestScanString_NoOp(t *testing.T) {
-	in := "ghp_EXAMPLE111122223333444455556666777788889999"
+	in := "ghp_" + "EXAMPLE111122223333444455556666777788889999"
 	m1, err1 := ScanBytes([]byte(in))
 	if err1 != nil {
 		t.Fatalf("ScanBytes errored: %v", err1)