Conversation
Our packaging and upgrades were messy and very difficult to maintain and this switch moves to a standard bump version process that we have more control over.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
📊 SonarQube Summary
|
Contributor
🐳 Docker Image BuiltA new Docker image has been built for this PR: Image: Pull command: docker pull australia-southeast1-docker.pkg.dev/cpg-common/images-dev/cpg_flow:e84116466ecc390211437c5f1ca53f7dd1b47356🔗 View in Google Cloud Console This comment was automatically generated by the Docker workflow. |
The docs builds had some duplication across workflows and caused issues in packaging. This change condenses the workflows.
Contributor
Author
|
We should just use the standard |
# Conflicts: # .github/renovate-config.json # uv.lock
- Switch from bump-my-version to uv version --bump for version management - Move version from dynamic (__init__.py) to static in pyproject.toml - Read __version__ via importlib.metadata at runtime - Fix all GitHub Advanced Security issues in package.yaml: persist-credentials: false, read version from pyproject.toml instead of parsing commit messages - Remove hardcoded VERSION env vars from docker.yaml and test.yaml, extract dynamically via uv version --short - Fix dependabot.yml: replace invalid multi-ecosystem-groups with proper groups syntax, use uv ecosystem only, add github-actions - Add dependabot release age check script and workflow - Remove .bumpversion.toml and Dockerfile version marker - Sync with main (v1.3.1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Our packaging, versioning, and dependency upgrade workflows were fragile and hard to maintain. We relied on
python-semantic-releasewhich added complexity without clear benefit for our release cadence, Renovate for dependency updates which required a separate hosted workflow, and had hardcoded version strings scattered across multiple files.Approach
Version management:
uv versionover external toolsRather than replacing
python-semantic-releasewith another third-party tool (bump-my-versionwas considered initially), we useuv version --bumpwhich is built into our existing toolchain. The version source of truth is now a static field inpyproject.toml— no moredynamic = ["version"]indirection through__init__.py. The Makefile targets (make bump-major/minor/patch) handle the bump + commit in one step, producingbump: x.y.zcommit messages that the release workflow keys off.Dependency updates: Dependabot over Renovate
Switched from Renovate (which needed a separate workflow + config) to Dependabot, which is native to GitHub. We use only the
uvecosystem (notpip) since Dependabot'suvsupport handles bothpyproject.tomlanduv.lock. Addedgithub-actionsecosystem to keep our action pins current. The original config usedmulti-ecosystem-groupswhich isn't a valid Dependabot feature — replaced with propergroupssyntax.Workflow security fixes
The release workflow had several issues flagged by GitHub Advanced Security: commit message content was interpolated directly into shell commands (injection risk),
persist-credentialswasn't disabled, and step outputs were used unsafely. Fixed by reading the version frompyproject.tomlviauv version --shortinstead of parsing commit messages, and using environment variables consistently.Dynamic version in workflows
Hardcoded
VERSIONenv vars indocker.yamlandtest.yamlwere a maintenance burden — every bump required touching multiple files. These now extract the version dynamically frompyproject.tomlat workflow runtime.Dependabot release age checker
Added a lightweight workflow that comments on Dependabot PRs with how old each proposed package version is. This helps reviewers assess whether a dependency update is battle-tested or brand new. Uses only stdlib Python (no external dependencies).
SonarQube comment auth
Switched from
BOT_ACCESS_TOKENtoGITHUB_TOKENfor posting SonarQube PR comments, since the bot token had expired. Addedpull-requests: writepermission to the sonarqube job to support this.