The release-preparation workflow exposes a contents- and
pull-request-write `GITHUB_TOKEN` while running `rooster`.
`rooster@0.1.1` was pinned, but `uvx` still resolved its transitive
dependencies at runtime, so code outside the repository lock could
execute with that token.
Add a dedicated Python 3.12+ `release` dependency group containing
`rooster==0.1.1`, commit its full dependency graph to `uv.lock`, and
invoke it with `uv run --locked --python 3.12 --only-group release`.
## Summary
- add repo-local Codex hooks matching the existing Claude hooks
- move the hook implementations into `scripts/hooks` so both agents
share one implementation
- handle Codex `apply_patch` payloads in the post-edit formatter
- keep other repo-local `.codex` state ignored while tracking
`.codex/hooks.json`
## Validation
- `python3 -m json.tool .claude/settings.json`
- `python3 -m json.tool .codex/hooks.json`
- `bash -n scripts/hooks/session-start.sh`
- `bash -n scripts/hooks/session-start-web.sh`
- exercised `uv run scripts/hooks/post-edit-format.py` with Claude
`Write` and Codex `apply_patch` payloads
## Summary
#19565 made most of the latest Python version constants non-public, but
the script only matched `pub const` declarations. As a result, the daily
Python release sync workflow silently stopped updating those constants.
This PR fixes that.
This PR also cleans up the script a bit (see individual commits for
details).
## Test Plan
Manual testing.
This makes it easier for us to add resolver scenarios by
1. Rewriting the scenario package generation in Rust
2. Serving scenario packages from memory in a wiremock index
3. Rewriting the scenario test case generation in Rust
4. Dropping all dependencies on packse / the packse index
---------
Co-authored-by: Codex <noreply@openai.com>
Using the docker container, we can reproducibly build the committed
windows trampolines given that neither the sources nor the crate
versions change, as the crate versions are part of cargo's Strict
Version Hash which determines the ordering in binaries. If we mandated
the committed binaries to always be up to date, every version bump would
require rebuilding them. Instead, we only require updating them when any
rust sources of the trampoline crate change, or the
"build:windows-trampoline" is set. This allows the trampolines to go
"stale", while still ensuring that when the checked-in binaries are
always built from checked-in sources (security) and that updating the
trampoline sources comes with an update to the binaries.
## Summary
hyperfine complains if both `--min-runs` and `--runs` are passed so
`--min-runs` should be conditionally default.
## Test Plan
Manual testing.
Regenerate the script lock without leaked socket-firewall registry and
global exclude-newer state.
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
## Summary
This is a small nice-to-have: previously to use `review` you'd need to
pass the run ID manually, since `apply-ci-snapshots.sh review` would
result in "review" being interpreted as the run ID.
## Test Plan
Dev only.
Signed-off-by: William Woodruff <william@astral.sh>
## Summary
Opportunistically use `podman` instead of `docker` when `docker` is not
available but `podman` is.
This required a few small compatibility adjustments to the `Dockerfile`.
## Test Plan
Manually tested locally...
Moves from a crates.io API key to trusted publishing.
Setup of trusted publishing is automated via a script which creates the
trust relationship and disables publish by API key. The main breakage
here is that now, when we add a new crate, a release will fail. The
script is invoked during `release.sh` to catch this case and supports
creating a stub crate so the release can subsequently succeed — but this
will require the release author to have a local crates.io API key with
permissions to create projects and configure publishing. I tested this
script a few times end-to-end, but would not be surprised if it bites us
in the future.
Applies a patch to use Python 3.6 compatible types in our vendored
`packaging` implementation used in the interpreter query script. Adds
Python 3.6 and 3.7 test coverage in CI.
Persists snapshots as artifacts on test failure in CI and adds a script
to apply them locally
```
❯ ./scripts/apply-ci-snapshots.sh
Found pull request #18424 for branch 'zb/ci-snapshots'...
Found latest CI run 23022983761
Downloading pending snapshot artifacts...
Downloaded 3 artifacts
Applying 2 snapshot changes...
accepted:
crates/uv/tests/it/pip_install.rs:13679 (transitive_dependency_config_settings_invalidation-2)
crates/uv/tests/it/python_install.rs:1694 (python_install_default-5)
```
We infer the target run via the `gh` CLI. You may also provide the run
ID directly.
We'll merge snapshot artifacts from multiple platforms, so if there are
platform-specific failures on both Linux and Windows we'll apply both.
This ensures for example that the license files don't get silently
dropped. The idea is that the script has a "snapshot" of the wheel
contents, and that snapshot is updated when adding or removing files.
With these changes, we can safely remove the extraneous annotations from
#18055.
Closes#18055
Update available python versions to include CPython 3.15.0a6
Update scripts used to sync pbs releases to account for recent changes
in the repo and to support running on macOS.
Fix#17524.
This adds a couple of new options to `scripts/check_system_python.py` to verify that it is running with the right interpreter version and that it would hopefully be the interpreter picked up by uv (although that isn't strictly necessary as other tests should fail in that case).
Additionally, since the path to the newly installed chocolatey python is not loaded from registry on every step, we now manually load it.
Beware, this will break `GITHUB_PATH` but this job wasn't using it at the moment.
Uses a nextest setup hook to sign the uv and test binaries before
running the tests. This allows you to grant permission to the test suite
_once_ when running native authentication tests on macOS. Otherwise, you
get prompted on every access on every binary change.
Zsolt Dollenstein