fix: suppress CodeQL false positives in formatters.py (#57) #62
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # Set read-only permissions by default | |
| permissions: read-all | |
| jobs: | |
| # Skip test job - CI workflow already runs comprehensive tests on push to main | |
| release: | |
| runs-on: ubuntu-latest | |
| # Grant write permissions only to this job | |
| permissions: | |
| contents: write # Required for semantic-release to create releases and push commits | |
| id-token: write # Required for PyPI OIDC trusted publishing | |
| pull-requests: write # Required for semantic-release PR comments | |
| steps: | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 | |
| with: | |
| app-id: ${{ secrets.RELEASE_APP_ID }} | |
| private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ steps.app-token.outputs.token }} | |
| - name: Set up Python | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| cache-dependency-path: pyproject.toml | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "pyproject.toml" | |
| - name: Install dependencies | |
| run: uv sync | |
| - name: Upgrade setuptools | |
| run: uv pip install --system "setuptools>=61.0" | |
| - name: Release with Python Semantic Release | |
| id: semantic-release | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| run: | | |
| set +e | |
| uv run semantic-release version | |
| echo "exit_code=$?" >> $GITHUB_OUTPUT | |
| set -e | |
| # Check if dist/ directory was created (indicates new release) | |
| if [ -d "dist" ]; then | |
| echo "new_release=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "new_release=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Publish to PyPI | |
| if: steps.semantic-release.outputs.new_release == 'true' | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 | |
| with: | |
| print-hash: true |