Skip to content

Add LangChain TinyFish integration #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pranavjana wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add LangChain TinyFish integration #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
46fedc9
Add SDK-backed LangChain TinyFish tools
pranavjana May 11, 2026
b33becc
Address LangChain CodeRabbit review findings
pranavjana May 11, 2026
ffd253a
Install build in LangChain CI
pranavjana May 11, 2026
26a9514
Publish LangChain only when PyPI needs the version
May 19, 2026
8ad7179
Document how integration package versions publish
May 19, 2026
888a32b
Guide maintainer-only workflow docs
May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# GitHub workflow guidance

This directory contains maintainer-facing repository automation and notes.

- Keep release-process documentation in `.github/README.md` or another maintainer-only repo doc, not in package `README.md` files that become PyPI project descriptions.
- Python package publish workflows should read package name/version from the package `pyproject.toml`, check PyPI for that exact version, and skip publishing if it already exists.
- Do not add automatic version bumping to publish workflows unless the release process is explicitly redesigned; package version bumps should be reviewed in PRs.
- Use the repository `PYPI_API_TOKEN` Actions secret for token-based PyPI publishing. Never commit token values or package credentials.
- Keep publish workflows scoped by `paths` to the package directory and the workflow file so unrelated merges do not trigger package release jobs.
26 changes: 26 additions & 0 deletions .github/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Maintainer notes

This file is for repository maintainers. Do not copy release-process notes into an integration package `README.md`: package READMEs are used as PyPI project descriptions.

## Python integration releases

Python integration publish workflows do not bump package versions automatically. Each workflow reads the package name and version from that integration's `pyproject.toml`, checks PyPI for that exact version, and publishes only when the version does not already exist.

To publish a new version:

1. Update the package version in the relevant `pyproject.toml`.
2. Commit the version bump with the code change.
3. Merge to `main`.
4. Let the push-to-`main` publish workflow run.

Current Python package version files:

| Integration | Package | Version file |
| --- | --- | --- |
| Google ADK | `tinyfish-adk` | `google-adk/pyproject.toml` |
| CrewAI | `tinyfish-web-agent` | `crew-ai/pyproject.toml` |
| LangChain | `langchain-tinyfish` | `langchain/pyproject.toml` |

PyPI versions are immutable. If a version has already been published, bump to a new version such as a patch release before merging.

The publish workflows use the repository `PYPI_API_TOKEN` Actions secret provisioned through `github-control`; never commit token values or package credentials.
41 changes: 41 additions & 0 deletions .github/workflows/langchain-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: LangChain CI

on:
pull_request:
branches: [main]
paths:
- ".github/workflows/langchain-ci.yml"
- "langchain/**"
push:
branches: [main]
paths:
- ".github/workflows/langchain-ci.yml"
- "langchain/**"

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest

defaults:
run:
working-directory: langchain

steps:
- uses: actions/checkout@v6

- uses: actions/setup-python@v6
with:
python-version: "3.12"

- run: python -m pip install --upgrade pip

- run: python -m pip install -e . -r requirements-dev.txt

- run: make lint

- run: make test

- run: python -m build
106 changes: 106 additions & 0 deletions .github/workflows/langchain-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
name: LangChain CD - Publish to PyPI

on:
push:
branches: [main]
paths:
- ".github/workflows/langchain-publish.yml"
- "langchain/**"

jobs:
build:
name: Build distribution
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
version-exists: ${{ steps.version.outputs.exists }}
package-version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout repository
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Install uv
uses: astral-sh/setup-uv@v8.1.0

- name: Check PyPI version availability
id: version
working-directory: ./langchain
run: |
PACKAGE=$(python -c "import tomllib; f=open('pyproject.toml','rb'); d=tomllib.load(f); print(d['project']['name'])")
VERSION=$(python -c "import tomllib; f=open('pyproject.toml','rb'); d=tomllib.load(f); print(d['project']['version'])")
echo "package=${PACKAGE}" >> "$GITHUB_OUTPUT"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
RESULT=$(python - "$PACKAGE" "$VERSION" <<'PY'
import sys
import urllib.error
import urllib.parse
import urllib.request

package = sys.argv[1]
version = sys.argv[2]
url = f"https://pypi.org/pypi/{urllib.parse.quote(package)}/{version}/json"
try:
with urllib.request.urlopen(url, timeout=10):
pass
except urllib.error.HTTPError as exc:
if exc.code == 404:
print("missing")
sys.exit(0)
print(f"PyPI returned HTTP {exc.code} while checking {url}", file=sys.stderr)
sys.exit(2)
except Exception as exc:
print(f"Failed to check PyPI for {url}: {exc}", file=sys.stderr)
sys.exit(2)
print("exists")
PY
)
case "$RESULT" in
exists)
echo "exists=true" >> "$GITHUB_OUTPUT"
echo "${PACKAGE} ${VERSION} already exists on PyPI; skipping publish."
;;
missing)
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "${PACKAGE} ${VERSION} is available on PyPI; building distribution."
;;
*)
echo "Unexpected PyPI availability result: $RESULT"
exit 1
;;
esac
Comment on lines +31 to +76
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "langchain-publish.yml" -type f

Repository: tinyfish-io/tinyfish-web-agent-integrations

Length of output: 129

🏁 Script executed:

cat -n .github/workflows/langchain-publish.yml 2>/dev/null || echo "File not found in root"

Repository: tinyfish-io/tinyfish-web-agent-integrations

Length of output: 4227

🌐 Web query:

pypa gh-action-pypi-publish skip-existing parameter documentation

💡 Result:

The pypa/gh-action-pypi-publish action documents the input parameter as skip-existing, disabled by default, and it can be enabled in the workflow as: with: skip-existing: true [1][2] The official action repository explains that skip-existing is intended to tolerate release package file duplicates (e.g., race conditions when publishing the same release from multiple places), and includes a note advising to avoid enabling it when possible. [1] In the action.yml, the input is wired through to the underlying implementation via skip-existing: ${{ inputs.skip-existing || inputs.skip_existing }}. [3]

Citations:

Make the publish step idempotent.

The preflight PyPI check creates a TOCTOU window: two concurrent workflow runs can both observe the version as missing before either publishes, causing the second upload to fail. pypa/gh-action-pypi-publish supports skip-existing: true to tolerate duplicate releases, so add it to the publish step.

🛠️ Proposed fix 
      - name: Publish to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          packages-dir: dist/
+         skip-existing: true
          password: ${{ secrets.PYPI_API_TOKEN }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/langchain-publish.yml around lines 31 - 76, The publish
step currently uses the pypa/gh-action-pypi-publish action and is vulnerable to
a TOCTOU race; update the "Publish to PyPI" step that invokes
pypa/gh-action-pypi-publish to include the input skip-existing: true so the
action tolerates duplicate uploads if another run already pushed the same
version. Locate the step that uses pypa/gh-action-pypi-publish and add the
skip-existing: true parameter to the action inputs (you can keep the preflight
PyPI check but ensure skip-existing is set).


- name: Build package
if: steps.version.outputs.exists == 'false'
working-directory: ./langchain
run: uv build

- name: Upload distribution artifact
if: steps.version.outputs.exists == 'false'
uses: actions/upload-artifact@v7
with:
name: python-package-distributions
path: langchain/dist/

publish-pypi:
name: Publish to PyPI
needs: build
if: needs.build.outputs.version-exists == 'false'
runs-on: ubuntu-latest
steps:
- name: Download distributions
uses: actions/download-artifact@v8
with:
name: python-package-distributions
path: dist/

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/
password: ${{ secrets.PYPI_API_TOKEN }}
Comment on lines +90 to +106
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the workflow file
find . -name "langchain-publish.yml" -type f

Repository: tinyfish-io/tinyfish-web-agent-integrations

Length of output: 129

🏁 Script executed:

# Get the specific lines from the workflow file
if [ -f ".github/workflows/langchain-publish.yml" ]; then
  cat -n ".github/workflows/langchain-publish.yml" | sed -n '90,110p'
fi

Repository: tinyfish-io/tinyfish-web-agent-integrations

Length of output: 696

🌐 Web query:

gh-action-pypi-publish OIDC trusted publishing configuration

💡 Result:

Trusted Publishing (using OpenID Connect) allows you to publish Python packages to PyPI from GitHub Actions without storing long-lived API tokens or passwords as GitHub Secrets [1][2]. To configure Trusted Publishing with the pypa/gh-action-pypi-publish action, follow these steps: 1. Configure the Trusted Publisher on PyPI Navigate to your project's settings on PyPI (e.g., https://pypi.org/manage/project//settings/publishing/) [3][4]. Add a new trusted publisher by specifying the GitHub repository owner, repository name, and the workflow filename (e.g., release.yml) that will perform the publishing [3][4]. You can optionally restrict this to a specific GitHub Actions environment [3][4]. 2. Update your GitHub Actions Workflow In your GitHub Actions workflow file, you must grant the publishing job the necessary OIDC permissions and omit any username or password inputs for the action [3][2]. Required configuration in your workflow YAML: - Set the id-token permission to write at the job level [3][5]. - Use the pypa/gh-action-pypi-publish action without providing a username or password [2][6]. Example Workflow Snippet: jobs: pypi-publish: runs-on: ubuntu-latest environment: release permissions: id-token: write # Mandatory for Trusted Publishing steps: - uses: actions/download-artifact@v5 with: name: release-dists path: dist/ - uses: pypa/gh-action-pypi-publish@release/v1 Important Considerations: - Security: Trusted Publishing is highly recommended over long-lived API tokens because it uses short-lived, automatically expiring tokens, significantly reducing the risk of credential theft [1][7]. - Reusable Workflows: Trusted Publishing is currently not supported when called from within a reusable workflow [6]. It is recommended to keep the job that calls pypa/gh-action-pypi-publish in a top-level workflow [6]. - Isolation: It is best practice to keep your build and publish steps in separate jobs, with the publish job having the minimum necessary privileges [2].

Citations:

Switch this job to OIDC Trusted Publishing.

The job currently uses password: ${{ secrets.PYPI_API_TOKEN }} without declaring permissions.id-token: write, keeping a long-lived secret in the release path. OIDC Trusted Publishing provides superior security by using short-lived, automatically expiring tokens instead of long-lived API tokens. To enable it, add permissions: id-token: write at the job level and remove the explicit password field.

Proposed fix 
   publish-pypi:
     name: Publish to PyPI
     needs: build
     if: needs.build.outputs.version-exists == 'false'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Download distributions
         uses: actions/download-artifact@v8
         with:
           name: python-package-distributions
           path: dist/
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: dist/
-          password: ${{ secrets.PYPI_API_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
publish-pypi:
name: Publish to PyPI
needs: build
if: needs.build.outputs.version-exists == 'false'
runs-on: ubuntu-latest
steps:
- name: Download distributions
uses: actions/download-artifact@v8
with:
name: python-package-distributions
path: dist/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/
password: ${{ secrets.PYPI_API_TOKEN }}
publish-pypi:
name: Publish to PyPI
needs: build
if: needs.build.outputs.version-exists == 'false'
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Download distributions
uses: actions/download-artifact@v8
with:
name: python-package-distributions
path: dist/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/langchain-publish.yml around lines 90 - 106, The
publish-pypi job is using a long-lived secret via the password field; switch it
to OIDC Trusted Publishing by adding a job-level permissions block that sets
id-token: write and removing the explicit password input for the
pypa/gh-action-pypi-publish step. Update the job named publish-pypi to include
permissions: id-token: write and delete the line referencing password: ${{
secrets.PYPI_API_TOKEN }} so the pypa/gh-action-pypi-publish action will use
OIDC instead of the stored secret.

12 changes: 12 additions & 0 deletions langchain/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
*.egg-info/
*.egg
dist/
build/
__pycache__/
*.pyc
*.pyo
.env
.claude/
.mypy_cache/
.ruff_cache/
.pytest_cache/
21 changes: 21 additions & 0 deletions langchain/LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2026 TinyFish

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
24 changes: 24 additions & 0 deletions langchain/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
.PHONY: all format lint test integration_test check_imports clean

all: format lint test

TEST_FILE ?= tests/unit_tests/
integration_test: TEST_FILE = tests/integration_tests/

format:
ruff format langchain_tinyfish tests
ruff check --fix langchain_tinyfish tests

lint:
ruff check langchain_tinyfish tests
mypy langchain_tinyfish

test integration_test:
pytest $(TEST_FILE) -v

check_imports: $(shell find langchain_tinyfish -name '*.py')
python scripts/check_imports.py $^

clean:
rm -rf build dist *.egg-info .pytest_cache .mypy_cache .ruff_cache
find . -type d -name __pycache__ -exec rm -rf {} +
Loading