From cb469d4d25952219dd860d5270967253eb023dd5 Mon Sep 17 00:00:00 2001
From: dasm <maegereg@gmail.com>
Date: Tue, 30 Sep 2025 09:50:26 -0700
Subject: [PATCH 1/5] Add minimal release pipeline.

---
 .github/workflows/release.yml | 48 +++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..8596a9c
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,48 @@
+# This pipeline is executed every time someone pushes a tag to GitHub. If the
+# tag is a valid version number, it builds the library, runs the slow tests and
+# the benchmarks, pushes the package distribution to PyPI, and if this is a
+# production release, also publishes the docs.
+name: Release Pipeline
+
+on:
+  push:
+    tags:
+      - '**'
+
+
+env:
+  # Force nox to produce colorful logs:
+  FORCE_COLOR: "true"
+
+jobs:
+  Check-Tag-Pattern:
+    if: github.repository == 'opendp/tumult-core'
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          re="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-(alpha|beta|rc)\.(0|[1-9][0-9]*))?$"
+          if [[ ! "$GITHUB_REF_NAME" =~ $re ]]; then 
+            echo "Tag $GITHUB_REF_NAME is not a valid version number. Aborting release pipeline."
+            exit 1
+          fi
+
+  Package-linux:
+    if: github.repository == 'opendp/tumult-core'
+    runs-on: ubuntu-latest
+    needs: Check-Tag-Pattern
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up runner
+        uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
+      - run: uv run nox -s build
+      - name: Upload wheel
+        uses: actions/upload-artifact@v4
+        with:
+          name: linux-wheel
+          path: dist/*.whl
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: sdist
+          path: dist/*.tar.gz

From 1d000fd8beeae104f3a77e762f73e052a5b402c6 Mon Sep 17 00:00:00 2001
From: dasm <maegereg@gmail.com>
Date: Wed, 1 Oct 2025 12:16:39 -0700
Subject: [PATCH 2/5] Add macos build jobs

---
 .github/workflows/release.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8596a9c..f3168cb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,3 +46,35 @@ jobs:
         with:
           name: sdist
           path: dist/*.tar.gz
+
+  Package-macos-intel:
+    if: github.repository == 'opendp/tumult-core'
+    runs-on: macos-15-intel
+    needs: Check-Tag-Pattern
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up runner
+        uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
+      - run: uv run nox -s build
+      - name: Upload wheel
+        uses: actions/upload-artifact@v4
+        with:
+          name: macos-intel-wheel
+          path: dist/*.whl
+
+  Package-macos-arm:
+    if: github.repository == 'opendp/tumult-core'
+    runs-on: macos-latest
+    needs: Check-Tag-Pattern
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up runner
+        uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
+      - run: uv run nox -s build
+      - name: Upload wheel
+        uses: actions/upload-artifact@v4
+        with:
+          name: macos-arm-wheel
+          path: dist/*.whl

From 91f132c339cc88172bb1134e04858613a8e00989 Mon Sep 17 00:00:00 2001
From: dasm <maegereg@gmail.com>
Date: Fri, 3 Oct 2025 15:51:39 -0700
Subject: [PATCH 3/5] Make sure we run cibuildwheel first, and prevent uv run
 from building.

---
 .github/workflows/release.yml | 6 +++---
 noxfile.py                    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f3168cb..aa49ca2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Set up runner
         uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
-      - run: uv run nox -s build
+      - run: uv run --only-group scripting nox -s build
       - name: Upload wheel
         uses: actions/upload-artifact@v4
         with:
@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Set up runner
         uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
-      - run: uv run nox -s build
+      - run: uv run --only-group scripting nox -s build
       - name: Upload wheel
         uses: actions/upload-artifact@v4
         with:
@@ -72,7 +72,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Set up runner
         uses: opendp/tumult-tools/actions/setup@eabe1054863f0916a0087ad180fd83719049c094
-      - run: uv run nox -s build
+      - run: uv run --only-group scripting nox -s build
       - name: Upload wheel
         uses: actions/upload-artifact@v4
         with:
diff --git a/noxfile.py b/noxfile.py
index 7662cea..f01e9fd 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -186,8 +186,8 @@ def build(session):
     Positional arguments given to nox are passed to the cibuildwheel command,
     allowing it to be run outside of the CI if needed.
     """
-    session.run("uv", "build", "--sdist", external=True)
     session.run("cibuildwheel", "--output-dir", "dist/", *session.posargs)
+    session.run("uv", "build", "--sdist", external=True)
 
 
 sm = SessionManager(

From c39afeca1df7dc98155664721a22f661b8dc8cc8 Mon Sep 17 00:00:00 2001
From: dasm <maegereg@gmail.com>
Date: Fri, 3 Oct 2025 16:28:45 -0700
Subject: [PATCH 4/5] Add a check to make sure cibuildwheel is compiling the
 libraries.

---
 pyproject.toml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index 5c1828a..2306399 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -161,6 +161,11 @@ artifacts = [
 [tool.cibuildwheel]
 build = "cp39-* cp310-* cp311-* cp312-*"
 skip = "*-musllinux*"
+before-all = """
+if [ -d src/tmlt/core/ext/lib ] && [ ! -z ${CI+x} ]; then 
+  echo 'Found compiled vendor libraries, but these must be built fresh by cibuildwheel.'
+  exit 1
+fi"""
 
 [tool.cibuildwheel.macos]
 environment = "MACOSX_DEPLOYMENT_TARGET='11.0'"

From 9e005a1116dd9d4ef9e8e9d728d7c6b73fb1ea37 Mon Sep 17 00:00:00 2001
From: dasm <maegereg@gmail.com>
Date: Fri, 3 Oct 2025 22:26:39 -0700
Subject: [PATCH 5/5] Update comment.

---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa49ca2..9806ba2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,7 +1,7 @@
 # This pipeline is executed every time someone pushes a tag to GitHub. If the
-# tag is a valid version number, it builds the library, runs the slow tests and
-# the benchmarks, pushes the package distribution to PyPI, and if this is a
-# production release, also publishes the docs.
+# tag is a valid version number, it builds the library, and (will eventually) 
+# run the slow tests and the benchmarks, push the package distribution to PyPI,
+# and if this is a production release, also publish the docs.
 name: Release Pipeline
 
 on: