Use UV #209

jqtrde · 2025-12-23T18:11:01Z

No description provided.

We'll do this a little differently soon.

Rasterio wheels don't exist for the full matrix yet.

jqtrde · 2025-12-23T19:26:42Z

Let's land this after #207.

.github/workflows/release.yaml

+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          python-version: "3.10"
+
+      - name: Build package
+        run: uv build
+
+      - name: Set up a fresh environment and run tests
+        run: |
+          uv venv
+          uv pip install dist/*.tar.gz
+          uv pip install dist/*.whl
+          uv pip install pytest
+          uv run pytest
+
+  release:


In general, to fix this issue you must explicitly declare a permissions block either at the workflow root (applies to all jobs) or per job, and grant only the minimal privileges required. When a workflow only checks out code and runs builds/tests and external deployments, the minimal permissions for GITHUB_TOKEN are typically contents: read.

For this specific workflow in .github/workflows/release.yaml, none of the steps perform repository writes or use GitHub APIs that require more than read access. The safest and simplest fix is to add a top‑level permissions: block after the name: (or before jobs:) specifying contents: read. This will apply to both release-test and release jobs, since neither defines its own permissions. No other behavior will change: actions/checkout@v4 works with contents: read, and the PyPI upload uses a separate secret, unaffected by GITHUB_TOKEN permissions.

Concretely:

Edit .github/workflows/release.yaml.

Insert:

permissions: contents: read

between the name: release line and the on: block.
No imports, methods, or additional definitions are needed; this is purely a YAML configuration change.

.github/workflows/release.yaml

+    runs-on: ubuntu-22.04
+    needs: release-test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          python-version: "3.10"
+
+      - name: Compare tags
+        run: |
+          PKG_VERSION=`grep '__version__' mapbox_tilesets/__init__.py | sed -E "s/^.*['\"](.*)['\"].*$/\1/"`
+          echo "Checking that package version [v$PKG_VERSION] matches release tag [${{ github.ref_name }}]"
+          [ "${{ github.ref_type }}" = "tag" ] && [ "${{ github.ref_name }}" = "v$PKG_VERSION" ]
+
+      - name: Build package
+        run: uv build
+
+      - name: Install Twine
+        run: |
+          uv venv
+          uv pip install twine
+
+      - name: Validate deployment
+        run: uv run twine check dist/*
+
+      - name: Run deployment
+        run: uv run twine upload dist/* -r pypi -u __token__ -p ${{ secrets.PYPI_PASSWORD }}


In general, the fix is to explicitly declare permissions for the workflow or for individual jobs so that the GITHUB_TOKEN has only the minimal rights needed. Since this workflow does not modify repository contents, issues, or pull requests, it can safely limit contents to read and leave all other scopes at their default of none.

The best, least-intrusive fix is to add a workflow-level permissions block near the top of .github/workflows/release.yaml, so it applies to both release-test and release jobs. Specifically, after the name: release line and before the on: trigger configuration, add:

permissions: contents: read

No other steps, secrets, or environment variables rely on elevated GITHUB_TOKEN permissions, so this change will not break existing functionality. No imports, methods, or additional definitions are required because this is purely a YAML configuration change within the workflow file.

jqtrde added 20 commits November 19, 2025 21:47

Replace setup.py with pyproject.toml

a17d0a4

Pull version from pyproject.toml

6280f29

Increment version

0b94146

Bump minimum version to 3.10

436f33f

Refresh CI harness

ff2418e

Drop pyright

5c72539

Remove version test

7f7d362

We'll do this a little differently soon.

Ensure that TilesetNameError is wired up appropriately

a50add1

Pare down build matrix

9e8d3eb

Rasterio wheels don't exist for the full matrix yet.

Simplify CI matrix

a573221

Keep black around for a bit longer

227b6c7

Adjust versioning mechanics

7fd9402

Update README

7425a8a

Make package explicit

f2b5ffc

Add missing module

a22b2bf

Major version bump to 2.0.0

98a166e

Bump changelog

9ab942c

Replace black with ruff

a0e7ce0

Simplify CONTRIBUTING.md

0f0b307

ruff format'n

08df64d

jqtrde force-pushed the jqtrde/ruff branch from 22070dc to 08df64d Compare December 23, 2025 19:22

jqtrde added 4 commits December 23, 2025 14:23

Bump changelog

0d62c35

Move to UV, adjust docs

f9512b6

Use uv in Github actions

2e636d4

Add uv.lock

24721ad

jqtrde force-pushed the jqtrde/uv branch from 80109c3 to 24721ad Compare December 23, 2025 19:26

jqtrde changed the base branch from jqtrde/ruff to master December 23, 2025 19:26

Update uv.lock

369ccd4

github-advanced-security bot found potential problems Dec 23, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use UV #209

Use UV #209

Uh oh!

jqtrde commented Dec 23, 2025

Uh oh!

jqtrde commented Dec 23, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

@@ -1,5 +1,8 @@
             name: release
+            permissions:
+              contents: read
             on:
               push:
                 tags:

Use UV #209

Are you sure you want to change the base?

Use UV #209

Uh oh!

Conversation

jqtrde commented Dec 23, 2025

Uh oh!

jqtrde commented Dec 23, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant