Implementation:Langchain ai Langgraph Release Workflow
| Knowledge Sources | |
|---|---|
| Domains | CI_CD, Deployment |
| Last Updated | 2026-02-11 16:00 GMT |
Overview
The Release Workflow is a GitHub Actions workflow that automates the build, test, and publish pipeline for all LangGraph Python packages to PyPI.
Description
The release workflow (`release.yml`) is a manually triggered (`workflow_dispatch`) GitHub Actions pipeline that handles the full release lifecycle for any LangGraph Python package. It accepts a `working-directory` input that specifies which library under `libs/` to release, defaulting to `libs/langgraph`. The workflow is designed with a strict separation of concerns between build and publish stages to limit the scope of privileged permissions.
The workflow consists of five sequential jobs. The build job checks out the repository, builds the package distribution using `uv build`, uploads the artifacts, and extracts version information from `pyproject.toml` (supporting both static and dynamic versioning). The release-notes job generates a changelog by comparing git tags and collecting commit messages since the last release for the relevant directory. The test-pypi-publish job publishes the package to Test PyPI using trusted publishing (OIDC-based authentication without API tokens). The pre-release-checks job installs the package from Test PyPI, verifies it imports correctly, installs test dependencies, and runs the test suite against the published package. Finally, the publish job pushes the verified package to production PyPI using trusted publishing, and the mark-release job creates a GitHub release with the generated release notes and the corresponding git tag.
The workflow supports all packages in the monorepo including `langgraph`, `langgraph-checkpoint`, `langgraph-checkpoint-postgres`, `langgraph-checkpoint-sqlite`, `langgraph-sdk`, `langgraph-cli`, and `langgraph-prebuilt`. Tag naming follows the convention `VERSION` for the main `langgraph` package and `SHORT_PKG_NAME==VERSION` for sub-packages (e.g., `checkpointpostgres==1.0.0`).
Usage
Use this workflow to release any LangGraph Python package. It is triggered manually from the GitHub Actions UI by selecting the workflow and specifying the `working-directory` (e.g., `libs/checkpoint-postgres`). The workflow ensures that every release is built, tested against the published artifact on Test PyPI, and then promoted to production PyPI with a corresponding GitHub release tag.
Code Reference
Source Location
- Repository: Langchain_ai_Langgraph
- File: .github/workflows/release.yml
- Lines: 1-327
Signature
name: release
run-name: Release ${{ inputs.working-directory }} by @${{ github.actor }}
on:
workflow_dispatch:
inputs:
working-directory:
required: true
type: string
default: "libs/langgraph"
Import
# Triggered manually via GitHub Actions UI
# No import required - this is a CI/CD workflow definition
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| working-directory | string |
Yes | The library directory to release, relative to the repository root (e.g., `libs/langgraph`, `libs/checkpoint-postgres`). |
Outputs
| Name | Type | Description |
|---|---|---|
| pkg-name | string |
The full package name extracted from `pyproject.toml` (e.g., `langgraph-checkpoint-postgres`). |
| version | string |
The version string of the package being released. |
| tag | string |
The git tag created for the release (e.g., `1.0.0` or `checkpointpostgres==1.0.0`). |
Workflow Jobs
| Job | Description | Key Steps |
|---|---|---|
| build | Builds the package and extracts version info. | Checkout, `uv build`, upload artifact, parse `pyproject.toml` for name/version/tag. |
| release-notes | Generates changelog from git history. | Sparse checkout, find previous tag, collect commit messages since last release. |
| test-pypi-publish | Publishes to Test PyPI. | Uses reusable workflow `_test_release.yml` with trusted publishing (OIDC). |
| pre-release-checks | Validates the published package. | Install from Test PyPI, verify import, run test suite against published artifact. |
| publish | Publishes to production PyPI. | Download artifact, `pypa/gh-action-pypi-publish` with trusted publishing. |
| mark-release | Creates a GitHub release. | Download artifact, create git tag and GitHub release via `ncipollo/release-action`. |
Security Model
The workflow follows security best practices for CI/CD:
- Separation of build and publish: The build job has no publishing permissions. The publish job only has `id-token: write` for OIDC-based trusted publishing.
- Trusted publishing: Uses PyPI OIDC trusted publishers instead of API tokens, eliminating the need for stored secrets.
- No caching in pre-release checks: Deliberately avoids dependency caching during validation to catch missing dependency declarations.
- Minimal permissions: Each job declares only the permissions it needs (`contents: read`, `id-token: write`, `contents: write`).
Usage Examples
# Trigger via GitHub Actions UI:
# 1. Navigate to Actions -> "release" workflow
# 2. Click "Run workflow"
# 3. Set working-directory to the target library, e.g.:
# - libs/langgraph
# - libs/checkpoint-postgres
# - libs/checkpoint-sqlite
# - libs/sdk-py
# - libs/cli
# - libs/prebuilt
# 4. Click "Run workflow"
# The workflow will:
# 1. Build the package
# 2. Publish to Test PyPI
# 3. Install from Test PyPI and run tests
# 4. Publish to production PyPI
# 5. Create a GitHub release with tag and changelog