## ℹ️ Description
- Link to the related issue(s): N/A
- Add a CI guard that fails when generated artifacts are out of sync,
motivated by preventing missing schema updates and keeping generated
reference files current.
- Add a committed `docs/config.default.yaml` as a user-facing default
configuration reference.
## 📋 Changes Summary
- Add `scripts/check_generated_artifacts.py` to regenerate schema
artifacts and compare tracked outputs (`schemas/*.json` and
`docs/config.default.yaml`) against generated content.
- Run the new artifact consistency check in CI via
`.github/workflows/build.yml`.
- Add `pdm run generate-config` and `pdm run generate-artifacts` tasks,
with a cross-platform-safe delete in `generate-config`.
- Add generated `docs/config.default.yaml` and document it in
`docs/CONFIGURATION.md`.
- Update `schemas/config.schema.json` with the
`diagnostics.timing_collection` property generated from the model.
### ⚙️ Type of Change
Select the type(s) of change(s) included in this pull request:
- [ ] 🐞 Bug fix (non-breaking change which fixes an issue)
- [x] ✨ New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)
## ✅ Checklist
Before requesting a review, confirm the following:
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a reference link to the default configuration snapshot for
easier access to baseline settings.
* **Chores**
* Added a CI build-time check that validates generated schemas and the
default config and alerts when regeneration is needed.
* Added scripts to generate the default config and to sequence artifact
generation.
* Added a utility to produce standardized schema content and compare
generated artifacts.
* Minor tweak to schema generation success messaging.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Bumps the all-actions group with 2 updates:
[vegardit/fast-apt-mirror.sh](https://github.com/vegardit/fast-apt-mirror.sh)
and [github/codeql-action](https://github.com/github/codeql-action).
Updates `vegardit/fast-apt-mirror.sh` from 1.4.1 to 1.4.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vegardit/fast-apt-mirror.sh/releases">vegardit/fast-apt-mirror.sh's
releases</a>.</em></p>
<blockquote>
<h2>1.4.2</h2>
<h2>What's Changed</h2>
<h3>Fixed</h3>
<ul>
<li>prevent Ubuntu ARM switching to non-ubuntu-ports mirrors</li>
<li>prevent invalid fastest mirror selection with ignore-sync-state</li>
<li>avoid pipefail/ERR-trap corrupting fastest mirror detection</li>
<li>Option --exclude-current not working reliably and support ARM</li>
<li>Multiple /etc/*-release files can cause wrong distro detection <a
href="https://redirect.github.com/vegardit/fast-apt-mirror.sh/issues/12">#12</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/vegardit/fast-apt-mirror.sh/compare/1.4.1...1.4.2">https://github.com/vegardit/fast-apt-mirror.sh/compare/1.4.1...1.4.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="29a5ef3401"><code>29a5ef3</code></a>
fix(find): prevent Ubuntu ARM switching to non-ubuntu-ports mirrors</li>
<li><a
href="f3f6ac867d"><code>f3f6ac8</code></a>
fix(find): keep Ubuntu ARM mirror candidates on ubuntu-ports</li>
<li><a
href="77bc0f4f48"><code>77bc0f4</code></a>
fix(find): harden sync baseline and fallback to reachable mirrors</li>
<li><a
href="e4cfe62e1a"><code>e4cfe62</code></a>
fix(find): use InRelease for Ubuntu ARM healthchecks</li>
<li><a
href="85bc4a4115"><code>85bc4a4</code></a>
fix(action): simplify fast-apt-mirror.sh setup</li>
<li><a
href="61f5fd911b"><code>61f5fd9</code></a>
fix(find): avoid pipefail/ERR-trap corrupting fastest mirror
detection</li>
<li><a
href="7ee8df396d"><code>7ee8df3</code></a>
fix: dedup mirror URLs</li>
<li><a
href="3b80eadc89"><code>3b80ead</code></a>
fix: refine mirror health checks and exclude 404 mirrors</li>
<li><a
href="39824222f5"><code>3982422</code></a>
fix: prevent invalid fastest mirror selection with
ignore-sync-state</li>
<li><a
href="4c4ae91025"><code>4c4ae91</code></a>
ci(deps): bump actions/checkout from 4 to 6</li>
<li>Additional commits viewable in <a
href="e5288ed7a1...29a5ef3401">compare
view</a></li>
</ul>
</details>
<br />
Updates `github/codeql-action` from 4.31.11 to 4.32.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.32.2</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li>
</ul>
<h2>v4.32.1</h2>
<ul>
<li>A warning is now shown in Default Setup workflow logs if a <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registry is configured</a> using a GitHub Personal Access Token
(PAT), but no username is configured. <a
href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li>
<li>Fixed a bug which caused the CodeQL Action to fail when repository
properties cannot successfully be retrieved. <a
href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li>
</ul>
<h2>v4.32.0</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.32.2 - 05 Feb 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li>
</ul>
<h2>4.32.1 - 02 Feb 2026</h2>
<ul>
<li>A warning is now shown in Default Setup workflow logs if a <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registry is configured</a> using a GitHub Personal Access Token
(PAT), but no username is configured. <a
href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li>
<li>Fixed a bug which caused the CodeQL Action to fail when repository
properties cannot successfully be retrieved. <a
href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li>
</ul>
<h2>4.32.0 - 26 Jan 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li>
</ul>
<h2>4.31.11 - 23 Jan 2026</h2>
<ul>
<li>When running a Default Setup workflow with <a
href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions
debugging enabled</a>, the CodeQL Action will now use more unique names
when uploading logs from the Dependabot authentication proxy as workflow
artifacts. This ensures that the artifact names do not clash between
multiple jobs in a build matrix. <a
href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li>
<li>Improved error handling throughout the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li>
<li>Added experimental support for automatically excluding <a
href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated
files</a> from the analysis. This feature is not currently enabled for
any analysis. In the future, it may be enabled by default for some
GitHub-managed analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li>
<li>The changelog extracts that are included with releases of the CodeQL
Action are now shorter to avoid duplicated information from appearing in
Dependabot PRs. <a
href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li>
</ul>
<h2>4.31.10 - 12 Jan 2026</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.9. <a
href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li>
</ul>
<h2>4.31.9 - 16 Dec 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.8 - 11 Dec 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.8. <a
href="https://redirect.github.com/github/codeql-action/pull/3354">#3354</a></li>
</ul>
<h2>4.31.7 - 05 Dec 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.7. <a
href="https://redirect.github.com/github/codeql-action/pull/3343">#3343</a></li>
</ul>
<h2>4.31.6 - 01 Dec 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.5 - 24 Nov 2025</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="45cbd0c69e"><code>45cbd0c</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3461">#3461</a>
from github/update-v4.32.2-7aee93297</li>
<li><a
href="cb528be87e"><code>cb528be</code></a>
Update changelog for v4.32.2</li>
<li><a
href="7aee932974"><code>7aee932</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3460">#3460</a>
from github/update-bundle/codeql-bundle-v2.24.1</li>
<li><a
href="b5f028a984"><code>b5f028a</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3457">#3457</a>
from github/dependabot/npm_and_yarn/npm-minor-4c1fc3...</li>
<li><a
href="9702c27ab9"><code>9702c27</code></a>
Merge branch 'main' into
dependabot/npm_and_yarn/npm-minor-4c1fc3d0aa</li>
<li><a
href="c36c94846f"><code>c36c948</code></a>
Add changelog note</li>
<li><a
href="3d0331896c"><code>3d03318</code></a>
Update default bundle to codeql-bundle-v2.24.1</li>
<li><a
href="77591e2c4a"><code>77591e2</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3459">#3459</a>
from github/copilot/fix-github-actions-workflow-again</li>
<li><a
href="7a44a9db3f"><code>7a44a9d</code></a>
Fix Rebuild Action workflow by adding --no-edit flag to git merge
--continue</li>
<li><a
href="e2ac371513"><code>e2ac371</code></a>
Initial plan</li>
<li>Additional commits viewable in <a
href="19b2f06db2...45cbd0c69e">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## ℹ️ Description
This PR enables manual triggering of the build workflow from any PR
branch to generate platform-specific executables (Windows .exe, macOS,
Linux binaries).
**Motivation:** Windows users often need pre-built executables to test
PRs without setting up a development environment. Currently, binaries
are only generated for `main` and `release` branches. This change allows
maintainers to manually trigger artifact generation for any PR when
needed for testing.
## 📋 Changes Summary
- Modified `.github/workflows/build.yml` artifact upload condition to
include `workflow_dispatch` event
- The `workflow_dispatch` trigger already existed but was gated at the
artifact upload step
- All 8 platform/Python version matrix combinations now produce
artifacts when manually triggered
- The `publish-release` job remains unchanged and only runs for
`main`/`release` branches
**How to use:** Go to Actions → "Build" workflow → "Run workflow" →
select the PR branch
### ⚙️ Type of Change
- [x] ✨ New feature (adds new functionality without breaking existing
usage)
## ✅ Checklist
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass.
- [x] I have verified that linting passes.
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated build workflow to support manual deployment triggers.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Bumps the all-actions group with 1 update:
[github/codeql-action](https://github.com/github/codeql-action).
Updates `github/codeql-action` from 4.31.9 to 4.31.10
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.31.10</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>4.31.10 - 12 Jan 2026</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.9. <a
href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.31.10 - 12 Jan 2026</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.9. <a
href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li>
</ul>
<h2>4.31.9 - 16 Dec 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.8 - 11 Dec 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.8. <a
href="https://redirect.github.com/github/codeql-action/pull/3354">#3354</a></li>
</ul>
<h2>4.31.7 - 05 Dec 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.7. <a
href="https://redirect.github.com/github/codeql-action/pull/3343">#3343</a></li>
</ul>
<h2>4.31.6 - 01 Dec 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.5 - 24 Nov 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.6. <a
href="https://redirect.github.com/github/codeql-action/pull/3321">#3321</a></li>
</ul>
<h2>4.31.4 - 18 Nov 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.3 - 13 Nov 2025</h2>
<ul>
<li>CodeQL Action v3 will be deprecated in December 2026. The Action now
logs a warning for customers who are running v3 but could be running v4.
For more information, see <a
href="https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/">Upcoming
deprecation of CodeQL Action v3</a>.</li>
<li>Update default CodeQL bundle version to 2.23.5. <a
href="https://redirect.github.com/github/codeql-action/pull/3288">#3288</a></li>
</ul>
<h2>4.31.2 - 30 Oct 2025</h2>
<p>No user facing changes.</p>
<h2>4.31.1 - 30 Oct 2025</h2>
<ul>
<li>The <code>add-snippets</code> input has been removed from the
<code>analyze</code> action. This input has been deprecated since CodeQL
Action 3.26.4 in August 2024 when this removal was announced.</li>
</ul>
<h2>4.31.0 - 24 Oct 2025</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cdefb33c0f"><code>cdefb33</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3394">#3394</a>
from github/update-v4.31.10-0fa411efd</li>
<li><a
href="cfa77c6b13"><code>cfa77c6</code></a>
Update changelog for v4.31.10</li>
<li><a
href="0fa411efd0"><code>0fa411e</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3393">#3393</a>
from github/update-bundle/codeql-bundle-v2.23.9</li>
<li><a
href="c284324212"><code>c284324</code></a>
Add changelog note</li>
<li><a
href="83e7d0046c"><code>83e7d00</code></a>
Update default bundle to codeql-bundle-v2.23.9</li>
<li><a
href="f6a16bef8e"><code>f6a16be</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3391">#3391</a>
from github/dependabot/npm_and_yarn/npm-minor-f1cdf5...</li>
<li><a
href="c1f5f1a8b5"><code>c1f5f1a</code></a>
Rebuild</li>
<li><a
href="1805d8d0a4"><code>1805d8d</code></a>
Bump the npm-minor group with 2 updates</li>
<li><a
href="b2951d2a1e"><code>b2951d2</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3353">#3353</a>
from github/kaspersv/bump-min-cli-v-for-overlay</li>
<li><a
href="41448d92b9"><code>41448d9</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3287">#3287</a>
from github/henrymercer/generate-mergeback-last</li>
<li>Additional commits viewable in <a
href="5d4e8d1aca...cdefb33c0f">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## ℹ️ Description
*Provide a concise summary of the changes introduced in this pull
request.*
- Link to the related issue(s): N/A
- Describe the motivation and context for this change.
- Fix empty release notes when using moving `latest`/`preview` tags
without creating temp tags.
- Avoid GitHub App permission errors when pushing tags on
workflow-modifying commits.
## 📋 Changes Summary
- Use a fake `tag_name` and anchor `previous_tag_name` to the moving
release tag for generate-notes.
- Add log output showing the refs used for note generation.
- Keep removal of the “Full Changelog” line to avoid broken compare
links.
### ⚙️ Type of Change
Select the type(s) of change(s) included in this pull request:
- [x] 🐞 Bug fix (non-breaking change which fixes an issue)
## ✅ Checklist
Before requesting a review, confirm the following:
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
## ℹ️ Description
*Provide a concise summary of the changes introduced in this pull
request.*
- Link to the related issue(s): N/A
- Describe the motivation and context for this change.
- Fix empty release notes when using moving `latest`/`preview` tags by
diffing two short‑lived tags.
- Remove the generated “Full Changelog” link because temporary tags are
deleted after notes generation.
## 📋 Changes Summary
- Generate release notes using a temp prev tag and a temp head tag to
ensure old → new comparisons.
- Clean up temp tags after notes generation to keep tags tidy.
- Strip the “Full Changelog” line to avoid broken compare links.
### ⚙️ Type of Change
Select the type(s) of change(s) included in this pull request:
- [x] 🐞 Bug fix (non-breaking change which fixes an issue)
- [ ] ✨ New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)
## ✅ Checklist
Before requesting a review, confirm the following:
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [ ] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [ ] I have formatted the code (`pdm run format`).
- [ ] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
## ℹ️ Description
This PR resolves all open CodeQL security warnings by implementing
recommended security best practices for GitHub Actions workflows and
addressing code analysis findings.
**Related**: Resolves CodeQL alerts 37-53
**Motivation**: CodeQL identified 17 security warnings across our
workflows and Python code. These warnings highlight potential supply
chain security risks (unpinned actions), missing security boundaries
(workflow permissions), and false positives that needed proper
documentation.
## 📋 Changes Summary
### Security Hardening
- **Pinned all GitHub Actions to commit SHAs** (26 action references
across 5 workflows)
- Added version comments for maintainability (e.g., `@8e8c483... #
v6.0.0`)
- Dependabot will now auto-update these pinned SHAs securely
### Workflow Permissions
- Added explicit `permissions` block to `update-python-deps.yml`
workflow
- Added explicit `permissions: contents: read` to `publish-coverage` job
in `build.yml`
- Follows principle of least privilege
### Dependabot Configuration
- Enhanced `.github/dependabot.yml` with action update grouping (single
PR instead of multiple)
- Added `rebase-strategy: auto` for automatic conflict resolution
### Code Quality
- Added CodeQL suppression with detailed explanation in
`src/kleinanzeigen_bot/utils/reflect.py`
- Documented why explicit `del stack` is necessary for frame cleanup
(prevents false positive)
### ⚙️ Type of Change
- [x] 🐞 Bug fix (non-breaking change which fixes an issue)
- [ ] ✨ New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)
## ✅ Checklist
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* CI workflows: pinned external actions to specific commits for
reproducible runs and added explicit permission scopes where required.
* Dependabot: grouped GitHub Actions updates into a single consolidated
group for unified updates and auto-rebasing.
* **Documentation**
* Expanded internal comments clarifying cleanup logic to reduce
potential reference-cycle concerns.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## ℹ️ Description
Currently, release changelogs only show the last commit message, which
doesn't provide sufficient visibility into all changes included in a
release. This PR improves the release workflow to use GitHub's
auto-generated release notes, providing a comprehensive changelog of all
commits and PRs since the previous release.
- Addresses the issue of insufficient release changelog detail
- Improves transparency for users reviewing what changed in each release
## 📋 Changes Summary
- Added `--generate-notes` flag to `gh release create` command in
`.github/workflows/build.yml`
- Renamed `COMMIT_MSG` environment variable to `LEGAL_NOTICE` for better
clarity
- Legal disclaimers now append after the auto-generated changelog
instead of replacing it
- The auto-generated notes will include:
- All commits since the last release
- All merged PRs since the last release
- Contributor attribution
- Automatic categorization (New Contributors, Full Changelog, etc.)
### ⚙️ Type of Change
Select the type(s) of change(s) included in this pull request:
- [ ] 🐞 Bug fix (non-breaking change which fixes an issue)
- [x] ✨ New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)
## ✅ Checklist
Before requesting a review, confirm the following:
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Release process updated to embed a bilingual (English/German) legal
notice directly into generated release notes.
* Release creation now auto-generates notes using that legal notice so
published releases consistently include the legal text.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## ℹ️ Description
*Provide a concise summary of the changes introduced in this pull
request.*
- Link to the related issue(s): Issue #
- Describe the motivation and context for this change.
Refactors the test harness for faster and more reliable feedback: adds
deterministic time freezing for update checks, accelerates and refactors
smoke tests to run in-process, defaults pytest to xdist with durations
tracking, and adjusts CI triggers so PRs run the test matrix only once.
## 📋 Changes Summary
- add pytest-xdist + durations reporting defaults, force deterministic
locale and slow markers, and document the workflow adjustments
- run smoke tests in-process (no subprocess churn), mock update
checks/logging, and mark slow specs appropriately
- deflake update check interval tests by freezing datetime and simplify
FixedDateTime helper
- limit GitHub Actions `push` trigger to `main` so feature branches rely
on the single pull_request run
### ⚙️ Type of Change
Select the type(s) of change(s) included in this pull request:
- [ ] 🐞 Bug fix (non-breaking change which fixes an issue)
- [x] ✨ New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)
## ✅ Checklist
Before requesting a review, confirm the following:
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Ensure tests run in a consistent English locale and restore prior
locale after each run
* Mark integration scraping tests as slow for clearer categorization
* Replace subprocess-based CLI tests with an in-process runner that
returns structured results and captures combined stdout/stderr/logs;
disable update checks during smoke tests
* Freeze current time in update-check tests for deterministic assertions
* Add mock for process enumeration in web‑scraping unit tests to
stabilize macOS-specific warnings
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
