Skip to content

ci: harden workflows and relax release version input #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 1, 2025
Merged

ci: harden workflows and relax release version input #100

merged 4 commits into from
Oct 1, 2025

Conversation

@Hartorn
Copy link
Member

@Hartorn Hartorn commented Oct 1, 2025

  • Add read-only permissions to CI workflow
  • Validate release version with simple X.Y.Z[alnum/._+-]* pattern (allows 2.0.0b4)
  • Use VERSION env var for uv version, commit, tag, and push with set -euo
  • Sanitize ref name in docs updater before merging to avoid unsafe refs

ci: harden workflows and relax release version input
a511baf 
- Add read-only permissions to CI workflow
- Validate release version with simple X.Y.Z[alnum/._+-]* pattern (allows 2.0.0b4)
- Use VERSION env var for uv version, commit, tag, and push with set -euo
- Sanitize ref name in docs updater before merging to avoid unsafe refs
@Hartorn Hartorn self-assigned this Oct 1, 2025
ci: harden ref handling and treat inputs as env
d05cdd8 
- Set job env VERSION and use for uv/commit/tag and GitHub Release tag_name
- Set job env REF_NAME; validate with git check-ref-format and ensure remote exists before merge
Inokinoki
Inokinoki approved these changes Oct 1, 2025
View reviewed changes
Copy link
Member

@Inokinoki Inokinoki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Hartorn Hartorn enabled auto-merge (squash) October 1, 2025 14:41
@Hartorn Hartorn disabled auto-merge October 1, 2025 14:50
ci: harden ref handling and pass secrets/inputs via env
3408d64 
- create-release: set job env VERSION; use in uv/commit/tag and release tag_name
- create-release: pass PyPI creds via env (no inline secrets in CLI args)
- update-docs: set job env REF_NAME; validate with git check-ref-format; ensure remote exists before merge
@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 1, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Hartorn Hartorn enabled auto-merge (squash) October 1, 2025 15:00
@Hartorn Hartorn merged commit d3e0027 into main Oct 1, 2025
37 of 41 checks passed
@Hartorn Hartorn deleted the fix-sonar branch October 1, 2025 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Inokinoki Inokinoki Inokinoki approved these changes

Assignees

@Hartorn Hartorn

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hartorn @Inokinoki