Skip to content

ci: re-lock uv.lock during semantic-release prepare #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bartzbeielstein merged 3 commits into from
Jun 4, 2026
Merged

ci: re-lock uv.lock during semantic-release prepare #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
97d9ab3
ci: re-lock uv.lock during semantic-release prepare
bartzbeielstein Jun 4, 2026
740014c
ci: declare read-only top-level permissions in quarto-build.yml
bartzbeielstein Jun 4, 2026
41ee224
ci: push semantic-release commits over SSH via deploy key
bartzbeielstein Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions .github/workflows/quarto-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,13 @@ on:
type: string
default: ""

# NOTE: no workflow-level `permissions:` here. A called workflow may not
# NOTE: keep workflow-level permissions minimal. A called workflow may not
# request more than its caller's job grants; `read-all` would demand read on
# every scope while callers grant only `contents: write` (startup_failure).
# The job below declares exactly what it needs.
# `contents: read` is a subset of that grant and satisfies the OpenSSF
# Scorecard TokenPermissions check; the job below elevates to what it needs.
permissions:
contents: read

env:
QUARTO_VERSION: "1.8.27"
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,15 @@ jobs:

steps:
# ── Checkout ──────────────────────────────────────────────────────
# ssh-key: the protect-main ruleset blocks direct pushes to main, with
# a bypass for deploy keys. Checking out with the DEPLOY_KEY secret
# makes git operate over SSH as that deploy key, so semantic-release's
# chore(release) push (see repositoryUrl in .releaserc.json) bypasses
# the ruleset. GITHUB_TOKEN stays for the GitHub API (release creation).
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
ssh-key: ${{ secrets.DEPLOY_KEY }}

# ── Python + uv ──────────────────────────────────────────────────
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
Expand Down
6 changes: 4 additions & 2 deletions .releaserc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"repositoryUrl": "git@github.com:sequential-parameter-optimization/spotoptim.git",
"branches": [
"main"
],
Expand Down Expand Up @@ -128,7 +129,7 @@
[
"@semantic-release/exec",
{
"prepareCmd": "sed -i 's/^version = .*/version = \"${nextRelease.version}\"/' pyproject.toml"
"prepareCmd": "sed -i 's/^version = .*/version = \"${nextRelease.version}\"/' pyproject.toml && uv lock"
}
],
[
Expand Down Expand Up @@ -159,7 +160,8 @@
{
"assets": [
"CHANGELOG.md",
"pyproject.toml"
"pyproject.toml",
"uv.lock"
],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}
Expand Down
2 changes: 1 addition & 1 deletion uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading