ci: re-lock uv.lock during semantic-release prepare#86
Merged
Conversation
semantic-release bumped the version in pyproject.toml but never re-locked, so after every release uv.lock still recorded the previous self-version. Each subsequent `uv run` then re-locked the file, dirtying the working tree and failing the pre-push pytest hook with "files were modified by this hook" despite green tests (one manual one-line sync per release, see 321226c). Run `uv lock` in the exec prepareCmd right after the sed version bump and add uv.lock to the @semantic-release/git assets so the refreshed lockfile ships inside the chore(release) commit. Also syncs uv.lock for the 0.12.6 release that predates this fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
OpenSSF Scorecard's TokenPermissions check flags workflows with no top-level permissions block (alert #118). `read-all` is off the table — a called workflow may not request more than its caller's job grants — but `contents: read` is a subset of the callers' `contents: write` grant, so it passes reusable-workflow validation while giving Scorecard the explicit default it wants. The build-docs job still elevates to `contents: write` for the gh-pages push. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The new protect-main ruleset blocks direct pushes to main. The GitHub Actions app cannot be added as a bypass actor on this org (422 from the API, no suggestion in the UI), so the release pipeline switches to the deploy-key route instead: - release.yml checks out with the DEPLOY_KEY secret; actions/checkout then configures origin over SSH with that key. - .releaserc.json pins repositoryUrl to the SSH form so semantic-release pushes the chore(release) commit and tag as the deploy key, which the ruleset's DeployKey bypass waves through. Without the explicit repositoryUrl, semantic-release would construct an authenticated HTTPS URL from GITHUB_TOKEN and push as github-actions[bot] — blocked. - GITHUB_TOKEN continues to serve the GitHub API (release creation). Requires the DEPLOY_KEY secret (write deploy key) and the DeployKey bypass on ruleset protect-main to be configured. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release-infrastructure fixes that came out of #85's rollout: the uv.lock drift fix, plus the changes needed to make releases work under the new
protect-mainruleset, plus a Scorecard TokenPermissions fix.1. Re-lock
uv.lockduring semantic-release preparesemantic-release bumps the version in
pyproject.tomlbut never re-locked, so after every releaseuv.lockrecorded the previous self-version; everyuv runthen re-locked it, dirtying the tree and tripping the pre-push pytest hook ("files were modified by this hook"). The execprepareCmdnow runsuv lockafter thesedbump, anduv.lockships in thechore(release)commit via the@semantic-release/gitassets. Includes the final manual sync (0.12.5 → 0.12.6).2. Release pushes over SSH via deploy key
The new
protect-mainruleset blocks direct pushes to main, and the GitHub Actions app can't be added as a bypass actor on this org (API 422, absent from the UI picker). Instead:release.ymlchecks out with theDEPLOY_KEYsecret, and.releaserc.jsonpinsrepositoryUrlto the SSH form so semantic-release pushes thechore(release)commit + tag as the deploy key (covered by the ruleset's DeployKey bypass) instead of constructing an authenticated HTTPS URL fromGITHUB_TOKENand pushing as github-actions[bot] (blocked).Prerequisites before the next releasable merge (operator actions, not in this PR): create the write deploy key +
DEPLOY_KEYsecret, and add the "Deploy keys" bypass to rulesetprotect-main.3. Scorecard TokenPermissions fix (alert #118)
quarto-build.ymlhad no top-levelpermissions:block (workflow-levelread-allis impossible in a called workflow — it may not request more than the caller's job grants). Top-levelcontents: readis a subset of the callers'contents: writegrant, satisfying both the reusable-workflow validation and Scorecard.Verification
actionlint+jqclean; fast suite green via pre-push hookfeat:/fix:merge🤖 Generated with Claude Code