ci: make pyproject.toml the canonical release version source

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/PULL_REQUEST_TEMPLATE.md

@@ -21,9 +21,9 @@
 
 <!-- Only fill this out if this PR is cutting a new release (e.g. v2.1.0). -->
 
+- [ ] `pyproject.toml` `version:` field updated to new version
+- [ ] `python3 scripts/sync_release_version.py --write` run after updating `pyproject.toml`
 - [ ] `socket_basics/version.py` updated to new version
-- [ ] `pyproject.toml` `version:` field updated to match
-- [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:<new-version>` *(auto-updated by `publish-docker.yml`
+- [ ] `socket_basics/__init__.py` updated to the same version
+- [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:<new-version>`
 - [ ] `CHANGELOG.md` `[Unreleased]` section reviewed
-
-> See [docs/releasing.md](../docs/releasing.md) for the full release process.

.github/workflows/dependabot-review.yml

@@ -0,0 +1,104 @@
+name: dependabot-review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: dependabot-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  inspect:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    outputs:
+      root_docker_changed: ${{ steps.diff.outputs.root_docker_changed }}
+      app_tests_docker_changed: ${{ steps.diff.outputs.app_tests_docker_changed }}
+      workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Inspect changed files
+        id: diff
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"
+
+          echo "Changed files:" >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+          printf '%s\n' "$CHANGED_FILES" >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+
+          has_file() {
+            local pattern="$1"
+            if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
+              echo "true"
+            else
+              echo "false"
+            fi
+          }
+
+          echo "root_docker_changed=$(has_file '^Dockerfile$')" >> "$GITHUB_OUTPUT"
+          echo "app_tests_docker_changed=$(has_file '^app_tests/Dockerfile$')" >> "$GITHUB_OUTPUT"
+          echo "workflow_or_action_changed=$(has_file '^\\.github/workflows/|^action\\.yml$|^\\.github/dependabot\\.yml$')" >> "$GITHUB_OUTPUT"
+
+      - name: Summarize review expectations
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          {
+            echo "## Dependabot Review Checklist"
+            echo "- PR: $PR_URL"
+            echo "- Confirm upstream release notes before merge"
+            echo "- Confirm Docker/toolchain changes match the files in this PR"
+            echo "- Do not treat a Dependabot PR as trusted solely because of the actor"
+            echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  docker-smoke-main:
+    needs: inspect
+    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.root_docker_changed == 'true'
+    uses: ./.github/workflows/_docker-pipeline.yml
+    permissions:
+      contents: read
+    with:
+      name: socket-basics
+      dockerfile: Dockerfile
+      context: .
+      check_set: main
+      push: false
+
+  docker-smoke-app-tests:
+    needs: inspect
+    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.app_tests_docker_changed == 'true'
+    uses: ./.github/workflows/_docker-pipeline.yml
+    permissions:
+      contents: read
+    with:
+      name: socket-basics-app-tests
+      dockerfile: app_tests/Dockerfile
+      context: .
+      check_set: app-tests
+      push: false
+
+  workflow-notice:
+    needs: inspect
+    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.workflow_or_action_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Flag workflow-sensitive updates
+        run: |
+          {
+            echo "## Sensitive File Notice"
+            echo "This Dependabot PR changes workflow or action metadata files."
+            echo "Require explicit human review before merge."
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/publish-docker.yml

@@ -129,25 +129,13 @@ jobs:
             --version "$VERSION" \
             --date "$DATE"
 
-      - name: 🔀 Commit CHANGELOG + action.yml back to main
+      - name: 🔀 Commit CHANGELOG back to main
         env:
           BOT_TOKEN: ${{ steps.bot.outputs.token }}
-          REF_NAME: ${{ github.ref_name }}
         run: |
           git config user.name "socket-release-bot[bot]"
           git config user.email "socket-release-bot[bot]@users.noreply.github.com"
           git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/SocketDev/socket-basics.git"
-
-          # Auto-update action.yml image ref to the new version.
-          # No-op if action.yml still uses `image: "Dockerfile"` (handles the
-          # chicken-and-egg on the initial v2.0.0 release).
-          if grep -q 'docker://ghcr.io/socketdev/socket-basics:' action.yml; then
-            sed -i "s|docker://ghcr.io/socketdev/socket-basics:[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*|docker://ghcr.io/socketdev/socket-basics:${VERSION}|" action.yml
-            echo "Updated action.yml image ref to ${VERSION}"
-          else
-            echo "action.yml not yet using pre-built image — skipping version update"
-          fi
-
-          git add CHANGELOG.md action.yml
-          git diff --cached --quiet || git commit -m "chore: release ${REF_NAME} — update CHANGELOG and action.yml [skip ci]"
+          git add CHANGELOG.md
+          git diff --cached --quiet || git commit -m "chore: release ${github.ref_name} — update CHANGELOG [skip ci]"
           git push origin HEAD:main

.github/workflows/python-tests.yml

@@ -45,34 +45,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -e ".[dev]"
-      - name: 🔒 Assert version files in sync
-        run: |
-          V_PY=$(python -c "from socket_basics.version import __version__; print(__version__)")
-          V_TOML=$(python -c "import tomllib; print(tomllib.loads(open('pyproject.toml').read())['project']['version'])")
-          [ "$V_PY" = "$V_TOML" ] || (echo "Version mismatch: version.py=$V_PY pyproject.toml=$V_TOML" && exit 1)
-          echo "Version in sync: $V_PY"
-
-      - name: 🔒 Assert action.yml image ref matches version (once switched to pre-built)
-        run: |
-          python3 - <<'EOF'
-          import re, sys, tomllib
-          from pathlib import Path
-
-          action = Path("action.yml").read_text()
-          version = tomllib.loads(Path("pyproject.toml").read_text())["project"]["version"]
-
-          match = re.search(r'image:\s*["\']docker://[^:]+:([^"\']+)["\']', action)
-          if not match:
-              print(f"SKIP: action.yml still uses Dockerfile — check will activate once switched to pre-built image")
-              sys.exit(0)
-
-          action_version = match.group(1)
-          if action_version != version:
-              print(f"FAIL: action.yml refs {action_version} but version is {version}")
-              print(f"      Update action.yml image ref to docker://ghcr.io/socketdev/socket-basics:{version}")
-              sys.exit(1)
-
-          print(f"OK: action.yml image ref matches version {version}")
-          EOF
+      - name: 🔒 Assert release version metadata is in sync
+        run: python3 scripts/sync_release_version.py --check
       - name: 🧪 Run tests
         run: pytest -q tests/

docs/releasing.md

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""Sync release version metadata from pyproject.toml.
+
+This script treats pyproject.toml as the canonical source of truth and keeps
+the duplicated version fields in sync.
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+import tomllib
+from pathlib import Path
+
+
+REPO_ROOT = Path(__file__).resolve().parent.parent
+PYPROJECT_PATH = REPO_ROOT / "pyproject.toml"
+VERSION_PY_PATH = REPO_ROOT / "socket_basics" / "version.py"
+INIT_PY_PATH = REPO_ROOT / "socket_basics" / "__init__.py"
+ACTION_YML_PATH = REPO_ROOT / "action.yml"
+
+
+def read_canonical_version() -> str:
+    data = tomllib.loads(PYPROJECT_PATH.read_text())
+    return data["project"]["version"]
+
+
+def replace_first(pattern: str, replacement: str, content: str, path: Path) -> str:
+    updated, count = re.subn(pattern, replacement, content, count=1, flags=re.MULTILINE)
+    if count != 1:
+        raise ValueError(f"Could not update expected version field in {path}")
+    return updated
+
+
+def build_expected_files(version: str) -> dict[Path, str]:
+    expected: dict[Path, str] = {}
+
+    version_py = VERSION_PY_PATH.read_text()
+    expected[VERSION_PY_PATH] = replace_first(
+        r'^__version__ = "[^"]+"$',
+        f'__version__ = "{version}"',
+        version_py,
+        VERSION_PY_PATH,
+    )
+
+    init_py = INIT_PY_PATH.read_text()
+    expected[INIT_PY_PATH] = replace_first(
+        r'^__version__ = "[^"]+"$',
+        f'__version__ = "{version}"',
+        init_py,
+        INIT_PY_PATH,
+    )
+
+    action_yml = ACTION_YML_PATH.read_text()
+    expected[ACTION_YML_PATH] = replace_first(
+        r'^(  image: "docker://ghcr\.io/socketdev/socket-basics:)[^"]+(")$',
+        rf'\g<1>{version}\2',
+        action_yml,
+        ACTION_YML_PATH,
+    )
+
+    return expected
+
+
+def check_files(expected: dict[Path, str]) -> list[str]:
+    mismatches: list[str] = []
+    for path, rendered in expected.items():
+        current = path.read_text()
+        if current != rendered:
+            mismatches.append(str(path.relative_to(REPO_ROOT)))
+    return mismatches
+
+
+def write_files(expected: dict[Path, str]) -> None:
+    for path, rendered in expected.items():
+        path.write_text(rendered)
+
+
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description="Sync socket-basics version metadata from pyproject.toml"
+    )
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument(
+        "--check",
+        action="store_true",
+        help="Fail if any derived version files differ from pyproject.toml",
+    )
+    group.add_argument(
+        "--write",
+        action="store_true",
+        help="Rewrite derived version files to match pyproject.toml",
+    )
+    return parser.parse_args()
+
+
+def main() -> int:
+    args = parse_args()
+    version = read_canonical_version()
+    expected = build_expected_files(version)
+
+    if args.write:
+        write_files(expected)
+        print(f"Synchronized release version metadata to {version}")
+        return 0
+
+    mismatches = check_files(expected)
+    if mismatches:
+        print(f"Release version metadata is out of sync with pyproject.toml ({version}):")
+        for mismatch in mismatches:
+            print(f" - {mismatch}")
+        print("Run: python3 scripts/sync_release_version.py --write")
+        return 1
+
+    print(f"Release version metadata is in sync: {version}")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())