bckohan
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 7 additions & 2 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 170 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 170 additions & 0 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 31 additions & 11 deletions b/‎.github/workflows/test.yml‎
Lines changed: 31 additions & 11 deletions
@@ -5,6 +5,7 @@ permissions: read-all
 on:
   push:
   pull_request:
+  workflow_call:
   workflow_dispatch:
     inputs:
       debug:
@@ -50,10 +51,14 @@ jobs:
 
       - name: Install Just
         uses: extractions/setup-just@v2
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
       - name: Install Dependencies
         run: |
-          just init ${{ steps.sp.outputs.python-path }} install-docs
-          just pin-dependency Django~=${{ matrix.django-version }}.0
+          just setup ${{ steps.sp.outputs.python-path }} install-docs
+          just test-lock Django~=${{ matrix.django-version }}.0
       - name: Install Emacs
         if: ${{ github.event.inputs.debug == 'true' }}
         run: |
 
@@ -0,0 +1,170 @@
+
+name: Publish Release
+
+permissions: read-all
+
+concurrency:
+  # stop previous release runs if tag is recreated
+  group: release-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - 'v*'  # only publish on version tags (e.g. v1.0.0)
+
+jobs:
+
+  lint:
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
+
+  test:
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
+  build:
+    name: Build Package
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+    outputs:
+      PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
+      RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ">=3.11"  # for tomlib
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
+    - name: Setup Just
+      uses: extractions/setup-just@v2
+    - name: Verify Tag
+      run: |
+        TAG_NAME=${GITHUB_REF#refs/tags/}
+        echo "Verifying tag $TAG_NAME..."
+        # if a tag was deleted and recreated we may have the old one cached
+        # be sure that we're publishing the current tag!
+        git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME
+
+        # verify signature
+        curl -sL https://github.com/${{ github.actor }}.gpg | gpg --import 
+        git tag -v "$TAG_NAME"
+
+        # verify version
+        RELEASE_VERSION=$(just validate_version $TAG_NAME)
+
+        # export the release version
+        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV 
+    - name: Build the binary wheel and a source tarball
+      run: just build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Set Package Name
+      id: set-package
+      run:
+        PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])")
+        echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV
+
+  publish-to-pypi:
+    name: Publish to PyPI
+    needs:
+      - lint
+      - test
+      - build
+      - publish-to-testpypi
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/${{ needs.build.outputs.PACKAGE_NAME }}
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1.12
+
+  github-release:
+    name: Publish GitHub Release
+    runs-on: ubuntu-latest
+    needs:
+      - lint
+      - test
+      - build
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --repo '${{ github.repository }}'
+        --generate-notes
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
+
+  publish-to-testpypi:
+    name: Publish to TestPyPI
+    needs:
+    - build
+    runs-on: ubuntu-latest
+
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/${{ needs.build.outputs.PACKAGE_NAME }}
+
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1.12
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
@@ -0,0 +1,61 @@
+name: OpenSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  push:
+    branches: [ main ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
@@ -5,6 +5,7 @@ permissions: read-all
 on:
   push:
   pull_request:
+  workflow_call:
   workflow_dispatch:
     inputs:
       debug:
@@ -30,6 +31,7 @@ jobs:
           - '4.2' # LTS April 2026
           - '5.0' # April 2025
           - '5.1' # December 2025
+          - '5.2b1'
         exclude:
           - python-version: '3.11'
             django-version: '3.2'
@@ -39,6 +41,8 @@ jobs:
             django-version: '5.0'
           - python-version: '3.9'
             django-version: '5.1'
+          - python-version: '3.9'
+            django-version: '5.2b1'
           - python-version: '3.13'
             django-version: '3.2'
           - python-version: '3.13'
@@ -63,11 +67,18 @@ jobs:
 
     - name: Setup Just
       uses: extractions/setup-just@v2
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
     - name: Install Release Dependencies
       run: |
-        just init ${{ steps.sp.outputs.python-path }}
-        just install
-        just pin-dependency Django~=${{ matrix.django-version }}.0
+        just setup ${{ steps.sp.outputs.python-path }}
+        if [ "${{ matrix.django-version }}" = "5.2b1" ]; then
+          just test-lock "Django==${{ matrix.django-version }}"
+        else
+          just test-lock "Django~=${{ matrix.django-version }}.0"
+        fi
     - name: Install Emacs
       if: ${{ github.event.inputs.debug == 'true' }}
       run: |
@@ -122,11 +133,14 @@ jobs:
 
     - name: Setup Just
       uses: extractions/setup-just@v2
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
     - name: Install Release Dependencies
       run: |
-        just init ${{ steps.sp.outputs.python-path }}
-        just install
-        just pin-dependency Django~=${{ matrix.django-version }}.0
+        just setup ${{ steps.sp.outputs.python-path }}
+        just test-lock Django~=${{ matrix.django-version }}.0
     - name: install-emacs-macos
       if: ${{ github.event.inputs.debug == 'true' }}
       run: |
@@ -184,11 +198,14 @@ jobs:
 
     - name: Setup Just
       uses: extractions/setup-just@v2
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
     - name: Install Release Dependencies
       run: |
-        just init ${{ steps.sp.outputs.python-path }}
-        just install
-        just pin-dependency Django~=${{ matrix.django-version }}.0
+        just setup ${{ steps.sp.outputs.python-path }}
+        just test-lock Django~=${{ matrix.django-version }}.0
     - name: install-vim-windows
       if: ${{ github.event.inputs.debug == 'true' }}
       uses: rhysd/action-setup-vim@v1
@@ -222,10 +239,13 @@ jobs:
 
       - name: Setup Just
         uses: extractions/setup-just@v2
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
       - name: Install Release Dependencies
         run: |
-          just init ${{ steps.sp.outputs.python-path }}
-          just install
+          just setup ${{ steps.sp.outputs.python-path }}
 
       - name: Get coverage files
         uses: actions/download-artifact@v4