globus
diff --git a/‎.github/workflows/_test.yaml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/_test.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/build-python-package.jinja.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-python-package.jinja.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build-python-package.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/build-python-package.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/create-pr.jinja.yaml‎
Lines changed: 39 additions & 9 deletions b/‎.github/workflows/create-pr.jinja.yaml‎
Lines changed: 39 additions & 9 deletions
diff --git a/‎.github/workflows/create-pr.yaml‎
Lines changed: 105 additions & 23 deletions b/‎.github/workflows/create-pr.yaml‎
Lines changed: 105 additions & 23 deletions
diff --git a/‎.github/workflows/create-tag-and-release.jinja.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/create-tag-and-release.jinja.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/create-tag-and-release.yaml‎
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/create-tag-and-release.yaml‎
Lines changed: 5 additions & 4 deletions
@@ -15,6 +15,9 @@ on:
       - "main"
       - "releases"
 
+permissions:
+  contents: "read"
+
 jobs:
   test:
     name: "${{ matrix.name }}"
 
@@ -85,7 +85,7 @@ jobs:
 
       - name: "Upload the built packages"
         id: "upload-packages"
-        uses: "actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f" # v6.0.0
+        uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
         with:
           name: "${{ env.ARTIFACT_NAME }}"
           path: "${{ env.PACKAGES_PATH }}"
 
@@ -18,11 +18,11 @@ on:
 
 env:
   PYTHON_VERSION: "3.13"
-  UV_VERSION: "0.10.6"
+  UV_VERSION: "0.11.2"
   ARTIFACT_NAME: "build-python-package-${{ github.run_id }}"
   PACKAGES_PATH: "./dist"
   BUILD_REQUIREMENTS: |
-    build==1.4.0 ; python_version == "3.13"
+    build==1.4.2 ; python_version == "3.13"
     colorama==0.4.6 ; python_version == "3.13" and os_name == "nt"
     packaging==26.0 ; python_version == "3.13"
     pyproject-hooks==1.2.0 ; python_version == "3.13"
@@ -74,7 +74,7 @@ jobs:
 
       - name: "Upload the built packages"
         id: "upload-packages"
-        uses: "actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f" # v6.0.0
+        uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
         with:
           name: "${{ env.ARTIFACT_NAME }}"
           path: "${{ env.PACKAGES_PATH }}"
 
@@ -18,7 +18,8 @@ on:
         description: |
           The version to use when creating the release.
 
-          This must be a valid version specifier (see PEP 440),
+          This must be a valid version specifier
+          (see PEP 440 -- https://peps.python.org/pep-0440/),
           but the workflow itself doesn't currently validate the version.
 
           The version can be referenced in several configuration variables
@@ -151,6 +152,7 @@ jobs:
       - name: "Checkout the repository"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
+          persist-credentials: "false"
           ref: "${{ fromJSON(inputs.config).branch-from || env.default-branch-from }}"
           fetch-depth: 0
 
@@ -201,14 +203,40 @@ jobs:
         run: |
           [[ include_file("create_commit_request_body.py") | indent(10) ]]
 
-      - name: "Push a new branch"
+      - name: "Compute versioned variables"
+        shell: "python"
         env:
           VERSION: "${{ inputs.version }}"
+          DEFAULT_BRANCH_NAME: "${{ env.default-branch-name }}"
+          BRANCH_NAME: "${{ fromJSON(inputs.config).branch-name }}"
+          DEFAULT_PR_TITLE: "${{ env.default-pr-title }}"
+          PR_TITLE: "${{ fromJSON(inputs.config).pr-title }}"
+        # Creates new environment variables:
+        #
+        # * COMPUTED_BRANCH_NAME
+        # * COMPUTED_PR_TITLE
+        #
+        run: |
+          [[ include_file("compute_versioned_variables.py") | indent(10) ]]
+
+      - name: "Push a new branch"
+        env:
           GH_TOKEN: "${{ github.token }}"
-          COMMIT_TITLE: "${{ fromJSON(inputs.config).commit-title || env.default-commit-title }}"
+          COMPUTED_BRANCH_NAME: "${{ env.COMPUTED_BRANCH_NAME }}"
         run: |
-          git push origin HEAD:"${{ fromJSON(inputs.config).branch-name || env.default-branch-name }}"
-          gh api graphql --input "${{ runner.temp }}/graphql-input.json"
+          # `gh api` is required because `git` has no permissions.
+
+          # Create the branch on the server.
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2026-03-10" \
+            "/repos/${GITHUB_REPOSITORY}/git/refs" \
+            --field "ref=refs/heads/${COMPUTED_BRANCH_NAME}" \
+            --field "sha=${GITHUB_SHA}"
+
+          # Push a new commit to the branch.
+          gh api graphql --input "${RUNNER_TEMP}/graphql-input.json"
 
       - name: "Generate the PR body"
         env:
@@ -247,12 +275,14 @@ jobs:
 
       - name: "Create a PR"
         env:
-          VERSION: "${{ inputs.version }}"
           GH_TOKEN: "${{ github.token }}"
+          COMPUTED_BRANCH_NAME: "${{ env.COMPUTED_BRANCH_NAME }}"
+          COMPUTED_PR_TITLE: "${{ env.COMPUTED_PR_TITLE }}"
+          PR_BASE: "${{ fromJSON(inputs.config).pr-base || env.default-pr-base }}"
         run: |
           gh pr create \
             --draft \
-            --head "${{ fromJSON(inputs.config).branch-name || env.default-branch-name }}" \
-            --base "${{ fromJSON(inputs.config).pr-base || env.default-pr-base }}" \
-            --title "${{ fromJSON(inputs.config).pr-title || env.default-pr-title }}" \
+            --head "${COMPUTED_BRANCH_NAME}" \
+            --base "${PR_BASE}" \
+            --title "${COMPUTED_PR_TITLE}" \
             --body-file "${RUNNER_TEMP}/pr-body.gfm"
@@ -20,7 +20,8 @@ on:
         description: |
           The version to use when creating the release.
 
-          This must be a valid version specifier (see PEP 440),
+          This must be a valid version specifier
+          (see PEP 440 -- https://peps.python.org/pep-0440/),
           but the workflow itself doesn't currently validate the version.
 
           The version can be referenced in several configuration variables
@@ -41,40 +42,41 @@ on:
 
 env:
   PYTHON_VERSION: "3.13"
-  UV_VERSION: "0.10.6"
+  UV_VERSION: "0.11.2"
   PANDOC_VERSION: "3.8.3"
   CHECK_JSONSCHEMA_REQUIREMENTS: |
-    attrs==25.4.0 ; python_version == "3.13"
+    attrs==26.1.0 ; python_version == "3.13"
     certifi==2026.2.25 ; python_version == "3.13"
-    charset-normalizer==3.4.4 ; python_version == "3.13"
-    check-jsonschema==0.36.2 ; python_version == "3.13"
+    charset-normalizer==3.4.6 ; python_version == "3.13"
+    check-jsonschema==0.37.1 ; python_version == "3.13"
     click==8.3.1 ; python_version == "3.13"
     colorama==0.4.6 ; python_version == "3.13" and platform_system == "Windows"
     idna==3.11 ; python_version == "3.13"
     jsonschema-specifications==2025.9.1 ; python_version == "3.13"
     jsonschema==4.26.0 ; python_version == "3.13"
     referencing==0.37.0 ; python_version == "3.13"
     regress==2025.10.1 ; python_version == "3.13"
-    requests==2.32.5 ; python_version == "3.13"
+    requests==2.33.0 ; python_version == "3.13"
     rpds-py==0.30.0 ; python_version == "3.13"
     ruamel-yaml==0.19.1 ; python_version == "3.13"
     urllib3==2.6.3 ; python_version == "3.13"
   TOX_REQUIREMENTS: |
-    cachetools==7.0.1 ; python_version == "3.13"
+    cachetools==7.0.5 ; python_version == "3.13"
     colorama==0.4.6 ; python_version == "3.13"
     distlib==0.4.0 ; python_version == "3.13"
-    filelock==3.24.3 ; python_version == "3.13"
+    filelock==3.25.2 ; python_version == "3.13"
     packaging==26.0 ; python_version == "3.13"
-    platformdirs==4.9.2 ; python_version == "3.13"
+    platformdirs==4.9.4 ; python_version == "3.13"
     pluggy==1.6.0 ; python_version == "3.13"
     pyproject-api==1.10.0 ; python_version == "3.13"
-    python-discovery==1.0.0 ; python_version == "3.13"
+    python-discovery==1.2.1 ; python_version == "3.13"
+    tomli-w==1.2.0 ; python_version == "3.13"
     tox-gh==1.7.1 ; python_version == "3.13"
-    tox-uv-bare==1.33.0 ; python_version == "3.13"
-    tox-uv==1.33.0 ; python_version == "3.13"
-    tox==4.46.3 ; python_version == "3.13"
-    uv==0.10.6 ; python_version == "3.13"
-    virtualenv==21.0.0 ; python_version == "3.13"
+    tox-uv-bare==1.33.4 ; python_version == "3.13"
+    tox-uv==1.33.4 ; python_version == "3.13"
+    tox==4.51.0 ; python_version == "3.13"
+    uv==0.11.2 ; python_version == "3.13"
+    virtualenv==21.2.0 ; python_version == "3.13"
 
   # These values are used when a config value is not specified.
   default-branch-from: "main"
@@ -241,6 +243,7 @@ jobs:
       - name: "Checkout the repository"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
+          persist-credentials: "false"
           ref: "${{ fromJSON(inputs.config).branch-from || env.default-branch-from }}"
           fetch-depth: 0
 
@@ -400,14 +403,91 @@ jobs:
           if __name__ == "__main__":
               sys.exit(main())
 
-      - name: "Push a new branch"
+      - name: "Compute versioned variables"
+        shell: "python"
         env:
           VERSION: "${{ inputs.version }}"
+          DEFAULT_BRANCH_NAME: "${{ env.default-branch-name }}"
+          BRANCH_NAME: "${{ fromJSON(inputs.config).branch-name }}"
+          DEFAULT_PR_TITLE: "${{ env.default-pr-title }}"
+          PR_TITLE: "${{ fromJSON(inputs.config).pr-title }}"
+        # Creates new environment variables:
+        #
+        # * COMPUTED_BRANCH_NAME
+        # * COMPUTED_PR_TITLE
+        #
+        run: |
+          # This file is a part of the Globus GitHub Workflows project.
+          # https://github.com/globus/workflows
+          # Copyright 2021-2026 Globus <support@globus.org>
+          # Copyright 2024-2026 Kurt McKee <contactme@kurtmckee.org>
+          # SPDX-License-Identifier: MIT
+
+          import os
+          import sys
+
+          RC_SUCCESS = 0
+          RC_FAILURE = 1
+
+          mandatory_environment_variables = {
+              "BRANCH_NAME",
+              "DEFAULT_BRANCH_NAME",
+              "GITHUB_ENV",
+              "VERSION",
+          }
+
+
+          def main() -> int:
+              # Ensure mandatory environment variables are present.
+              if missing_keys := (mandatory_environment_variables - os.environ.keys()):
+                  for missing_key in missing_keys:
+                      print(f"`{missing_key}` is a mandatory environment variable.")
+                  return RC_FAILURE
+
+              # Branch name
+              branch_name = os.environ["BRANCH_NAME"]
+              if branch_name:
+                  version = os.environ["VERSION"]
+                  computed_branch_name = branch_name.replace("$VERSION", version)
+              else:
+                  computed_branch_name = os.environ["DEFAULT_BRANCH_NAME"]
+              with open(os.environ["GITHUB_ENV"], "a") as file:
+                  file.write(f"COMPUTED_BRANCH_NAME={computed_branch_name}\n")
+
+              # PR title
+              pr_title = os.environ["PR_TITLE"]
+              if pr_title:
+                  version = os.environ["VERSION"]
+                  computed_pr_title = pr_title.replace("$VERSION", version)
+              else:
+                  computed_pr_title = os.environ["DEFAULT_PR_TITLE"]
+              with open(os.environ["GITHUB_ENV"], "a") as file:
+                  file.write(f"COMPUTED_PR_TITLE={computed_pr_title}\n")
+
+              return RC_SUCCESS
+
+
+          if __name__ == "__main__":
+              sys.exit(main())
+
+      - name: "Push a new branch"
+        env:
           GH_TOKEN: "${{ github.token }}"
-          COMMIT_TITLE: "${{ fromJSON(inputs.config).commit-title || env.default-commit-title }}"
+          COMPUTED_BRANCH_NAME: "${{ env.COMPUTED_BRANCH_NAME }}"
         run: |
-          git push origin HEAD:"${{ fromJSON(inputs.config).branch-name || env.default-branch-name }}"
-          gh api graphql --input "${{ runner.temp }}/graphql-input.json"
+          # `gh api` is required because `git` has no permissions.
+
+          # Create the branch on the server.
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2026-03-10" \
+            "/repos/${GITHUB_REPOSITORY}/git/refs" \
+            --field "ref=refs/heads/${COMPUTED_BRANCH_NAME}" \
+            --field "sha=${GITHUB_SHA}"
+
+          # Push a new commit to the branch.
+          gh api graphql --input "${RUNNER_TEMP}/graphql-input.json"
 
       - name: "Generate the PR body"
         env:
@@ -446,12 +526,14 @@ jobs:
 
       - name: "Create a PR"
         env:
-          VERSION: "${{ inputs.version }}"
           GH_TOKEN: "${{ github.token }}"
+          COMPUTED_BRANCH_NAME: "${{ env.COMPUTED_BRANCH_NAME }}"
+          COMPUTED_PR_TITLE: "${{ env.COMPUTED_PR_TITLE }}"
+          PR_BASE: "${{ fromJSON(inputs.config).pr-base || env.default-pr-base }}"
         run: |
           gh pr create \
             --draft \
-            --head "${{ fromJSON(inputs.config).branch-name || env.default-branch-name }}" \
-            --base "${{ fromJSON(inputs.config).pr-base || env.default-pr-base }}" \
-            --title "${{ fromJSON(inputs.config).pr-title || env.default-pr-title }}" \
+            --head "${COMPUTED_BRANCH_NAME}" \
+            --base "${PR_BASE}" \
+            --title "${COMPUTED_PR_TITLE}" \
             --body-file "${RUNNER_TEMP}/pr-body.gfm"
@@ -174,6 +174,7 @@ jobs:
           )"
           export TAG_OBJECT_BODY
 
+          # Use `gh api` because `git` isn't configured with permissions.
           gh api \
             --method POST \
             -H "Accept: application/vnd.github+json" \
 
@@ -18,12 +18,12 @@ on:
 
 env:
   PYTHON_VERSION: "3.13"
-  UV_VERSION: "0.10.6"
+  UV_VERSION: "0.11.2"
   PANDOC_VERSION: "3.8.3"
   SCRIV_REQUIREMENTS: |
-    attrs==25.4.0 ; python_version == "3.13"
+    attrs==26.1.0 ; python_version == "3.13"
     certifi==2026.2.25 ; python_version == "3.13"
-    charset-normalizer==3.4.4 ; python_version == "3.13"
+    charset-normalizer==3.4.6 ; python_version == "3.13"
     click-log==0.4.0 ; python_version == "3.13"
     click==8.3.1 ; python_version == "3.13"
     colorama==0.4.6 ; python_version == "3.13" and platform_system == "Windows"
@@ -32,7 +32,7 @@ env:
     markdown-it-py==4.0.0 ; python_version == "3.13"
     markupsafe==3.0.3 ; python_version == "3.13"
     mdurl==0.1.2 ; python_version == "3.13"
-    requests==2.32.5 ; python_version == "3.13"
+    requests==2.33.0 ; python_version == "3.13"
     scriv==1.8.0 ; python_version == "3.13"
     urllib3==2.6.3 ; python_version == "3.13"
 
@@ -297,6 +297,7 @@ jobs:
           )"
           export TAG_OBJECT_BODY
 
+          # Use `gh api` because `git` isn't configured with permissions.
           gh api \
             --method POST \
             -H "Accept: application/vnd.github+json" \