Change: Allow only manual releases from main

.github/workflows/build-test-release.yml

@@ -14,11 +14,6 @@ on:
         description: Create a (pre-)release when CI passes
         default: false
         required: false
-      update_dependencies:
-        type: boolean
-        description: Update dependencies to their latest version
-        default: false
-        required: false
     outputs:
       tag:
         description: "The created release tag"
@@ -102,10 +97,9 @@ jobs:
 
       - name: Run All Code Quality Checks & Tests
         run: poe all --check
-
 
   github-release:
-    if: ${{ inputs.create_release == 'true' }}
+    if: ${{ github.ref == 'refs/heads/main' && inputs.create_release }}
     needs:
       - build-python
       - tests
@@ -125,7 +119,6 @@ jobs:
           path: dist/
 
       - name: Prevent automatic major/minor release
-        if: (github.event_name == 'push')
         run: |
           echo "Fetching the latest release..."
           tag=$(gh release view --json tagName --jq '.tagName')
@@ -150,12 +143,44 @@ jobs:
         run: echo "${{ steps.tag.outputs.tag }}"
 
       - name: Release
-        if: (inputs.create_release)
         uses: softprops/action-gh-release@v2
         with:
           files: |
             ./dist/*
           tag_name: ${{ steps.tag.outputs.tag }}
-          prerelease: ${{github.ref != 'refs/heads/main'}}
           generate_release_notes: true
           target_commitish: ${{ github.sha }}
+
+  publish:
+    name: Publish to PyPI
+    needs: github-release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write  # Required for Trusted Publishing
+    steps:
+      - name: Download assets from latest GitHub release using gh CLI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p assets-to-publish
+          release_tag="${{ needs.build-test-release.outputs.tag }}"
+          gh release download "$release_tag" --repo "$GITHUB_REPOSITORY" --dir assets-to-publish
+
+      - name: List downloaded assets
+        run: ls -la assets-to-publish
+
+      - name: Upload assets to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          # To test, use the TestPyPI:
+          # repository-url: https://test.pypi.org/legacy/
+          # You must also create an account and project on TestPyPI,
+          # as well as set the trusted-publisher in the project settings:
+          # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+          # To publish to the official PyPI repository, just keep
+          # repository-url commented out.
+          packages-dir: assets-to-publish
+          skip-existing: true
+          print-hash: true
+          verbose: true

.github/workflows/check-blocking-labels.yml

@@ -6,16 +6,12 @@
 name: Check Blocking Labels
 
 on:
-  # run pipeline on pull request
   pull_request:
     types:
       - opened
       - synchronize
       - labeled
       - unlabeled
-  # run pipeline on merge queue
-  merge_group:
-  # run this workflow manually from the Actions tab
   workflow_dispatch:
 
 concurrency:

.github/workflows/check-code-quality.yml

@@ -22,7 +22,9 @@ concurrency:
 jobs:
   check-code-quality:
     runs-on: ubuntu-latest
-
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
     steps:
       - name: Checkout source code
         uses: actions/checkout@v5
@@ -33,6 +35,7 @@ jobs:
         with:
           activate-environment: true
           enable-cache: true
+          python-version: ${{ matrix.python-version }}
 
       - name: install poe
         if: ${{ always() }}

.github/workflows/ci.yml

@@ -3,19 +3,18 @@
 # SPDX-License-Identifier: MPL-2.0
 
 
-name: CI Build
+name: CI/CD
 
 on:
   push:
     branches:
       - main  # run pipeline on pull request
   pull_request:
-  merge_group:  # run pipeline on merge queue
   workflow_dispatch:  # run this workflow manually from the Actions tab
     inputs:
       create_release:
         type: boolean
-        description: Create a (pre-)release when CI passes
+        description: Create a release (only works on main branch)
         default: false
         required: true
 
@@ -30,62 +29,17 @@ jobs:
       - run: echo "ci started"
 
   build-test-release:
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
     name: build-test-release
     uses: "./.github/workflows/build-test-release.yml"
     permissions:
       contents: write
+      id-token: write  # Required for Trusted Publishing
     with:
-      create_release: ${{ (github.event_name == 'workflow_dispatch' && inputs.create_release) || (github.event_name == 'push') }}
+      create_release: ${{ inputs.create_release }}
 
   check-code-quality:
     uses: "./.github/workflows/check-code-quality.yml"
 
   reuse-compliance:
     uses: "./.github/workflows/reuse-compliance.yml"
-
-  ci-passed:
-    runs-on: ubuntu-latest
-    needs: [ci-started, build-test-release, check-code-quality, reuse-compliance]
-    if: always()
-
-    steps:
-      # this explicit check is needed cfr. https://github.com/orgs/community/discussions/75568
-      - name: "Check whether all jobs passed"
-        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'
-      - run: echo "ci passed"
-
-  publish:
-    name: Publish to PyPI
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write  # Required for Trusted Publishing
-    needs: build-test-release
-    if: (github.event_name == 'workflow_dispatch' && inputs.create_release) || github.event_name == 'push'
-
-    steps:
-      - name: Download assets from latest GitHub release using gh CLI
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mkdir -p assets-to-publish
-          release_tag="${{ needs.build-test-release.outputs.tag }}"
-          gh release download "$release_tag" --repo "$GITHUB_REPOSITORY" --dir assets-to-publish
-
-      - name: List downloaded assets
-        run: ls -la assets-to-publish
-
-      - name: Upload assets to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          # To test, use the TestPyPI:
-          # repository-url: https://test.pypi.org/legacy/
-          # You must also create an account and project on TestPyPI,
-          # as well as set the trusted-publisher in the project settings:
-          # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
-          # To publish to the official PyPI repository, just keep
-          # repository-url commented out.
-          packages-dir: assets-to-publish
-          skip-existing: true
-          print-hash: true
-          verbose: true

.github/workflows/reuse-compliance.yml

@@ -6,9 +6,7 @@
 name: REUSE Compliance Check
 
 on:
-  # run pipeline from another workflow
   workflow_call:
-  # run this workflow manually from the Actions tab
   workflow_dispatch:
 
 concurrency:

.github/workflows/sonar.yml

@@ -5,14 +5,11 @@
 name: Sonar Cloud
 
 on:
-  # run pipeline on push event of main branch
   push:
     branches:
       - main
-  # run pipeline on pull request
   pull_request:
-  # run pipeline on merge queue
-  merge_group:
+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-sonar