feat: add python wasm release workflow

[mehtarac]

Description

The monorepo now produces three releasable packages: the TypeScript SDK (npm), Python 1.x (PyPI), and the new Python WASM 2.x (PyPI). The Python WASM package embeds a compiled .wasm binary from the TypeScript SDK and ships it as a single wheel. This PR adds the release workflow for that third package and prepares strands-py-wasm for PyPI publishing by resolving a direct URL dependency that PyPI rejects.

The existing Python 1.x workflow is tightened from python/v* to python/v1.* tags; it is scoped to the 1.x line and will be removed at EOL. A new workflow (python-wasm-pypi-publish-on-release.yml) handles python-wasm/v* releases with this pipeline:

• validate TS (reuses typescript-ts-check.yml, typescript-ts-test.yml) →
• validate Python (reuses wasm-py-check.yml) →
• build WASM →
• build wheel →
• publish to PyPI.

The pgrayy-wasmtime dependency is switched from a git+https:// direct reference to a versioned PyPI package. PyPI's upload endpoint rejects direct URL references per PEP 440, so this change is required for publishing. Reference issue

Related Issues

Documentation PR

Type of Change

New feature

Testing

How have you tested the change? Verify that the changes do not break functionality or introduce warnings in consuming repositories: agents-docs, agents-tools, agents-cli

To verify locally that the wheel builds correctly:

npm ci
npm run build -w strands-ts
npm run build -w strands-wasm
cd strands-py-wasm
cp ../LICENSE.APACHE LICENSE.APACHE
sed -i 's/^version = .*/version = "2.0.0rc1"/' pyproject.toml
hatch build
unzip -p dist/*.whl '*.dist-info/METADATA' | grep Requires-Dist
# Should show pgrayy-wasmtime>=46.0.7 with no git URLs
unzip -l dist/*.whl | grep wasm

• I ran hatch run prepare

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Assessment: Comment

The workflow structure is sound and follows existing patterns in the repo well. The dependency fix for PyPI publishing is correct and the tag scoping for Python 1.x is a good improvement.

Review Categories

• Security: Shell expressions use direct ${{ }} interpolation in run: blocks instead of intermediate environment variables — standard GitHub Actions hardening practice.
• Correctness: PR description mentions TS validation via reusable workflows that aren't actually called; workflow relies on implicit build-time validation only.
• Robustness: Version extraction lacks empty-value guards; version format uses SemVer syntax for a PEP 440 ecosystem (works due to normalization but may confuse).

The overall approach is clean and the pyproject.toml changes are well-motivated.

[github-actions]

Assessment: Comment

The workflow is well-structured and the pyproject.toml fixes correctly unblock PyPI publishing. The previous review's feedback on env vars and empty-version guard has been largely addressed — good iterative improvement.

Remaining Items

• Security: The Extract version step still has direct ${{ inputs.version }} interpolation in shell (inconsistent with the hardened Validate and Stamp steps that already use env vars).
• Documentation: The PR description's claim about reusing typescript-ts-check.yml and typescript-ts-test.yml doesn't match the actual workflow — consider updating the description for accuracy.

Overall, the workflow follows repo conventions well and the safety guard preventing workflow_dispatch from publishing is a nice touch.

[github-actions]

Assessment: Comment (LGTM with minor outstanding items)

The "address comments" commit has resolved the critical security findings from the previous review round — env vars are now used consistently in Extract version, Validate version, and Stamp version steps, and the empty-version guard is in place.

Outstanding items from prior review (non-blocking)

• PR description accuracy: The description still mentions reusing typescript-ts-check.yml and typescript-ts-test.yml, but the workflow only validates TS implicitly via npm run build -w strands-ts. Consider updating the description to match reality.
• PEP 440 format: The regex and workflow_dispatch description use SemVer-style pre-release notation. This works because hatch normalizes versions, but could confuse operators. A comment in the workflow noting this normalization behavior would suffice.

The workflow is well-structured, permissions are appropriately scoped, and the pyproject.toml changes correctly unblock PyPI publishing.