OvertureMaps · John McCall (lowlydba) · Mar 21, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+---
+version: 2
+updates:
+
+  # Maintain GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "bot"
+    commit-message:
+      prefix: "[CHORE](deps)"
+      include: "scope"
diff --git a/.github/workflows/check-python-code.yaml b/.github/workflows/check-python-code.yaml
@@ -1,7 +1,7 @@
 name: Check Python package code
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - 'packages/**'
       - 'pyproject.toml'
@@ -16,12 +16,9 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.head.repo.full_name == github.repository
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/checkout@v6
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4

diff --git a/.github/workflows/check-python-package-versions.yaml b/.github/workflows/check-python-package-versions.yaml
@@ -1,7 +1,7 @@
 name: Check Python package version numbers
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - '**/pyproject.toml'
       - 'packages/**/__about__.py'
@@ -12,7 +12,6 @@ permissions:
 
 jobs:
   check:
-    if: github.event.pull_request.head.repo.full_name == github.repository
     uses: ./.github/workflows/reusable-check-python-package-versions.yaml
     with:
       before_commit: ${{ github.event.pull_request.base.sha }}

diff --git a/.github/workflows/publish-python-packages.yaml b/.github/workflows/publish-python-packages.yaml
@@ -6,6 +6,7 @@ on:
     paths:
       - '**/pyproject.toml'
       - 'packages/**/__about__.py'
+  workflow_dispatch:
     inputs:
       aws_iam_role_name:
         description: The name of the IAM role to assume for accessing CodeArtifact
@@ -64,16 +65,18 @@ jobs:
       - name: Get CodeArtifact publish URL
         id: get-code-artifact-params
         run: |
-          echo 'token<<EOF' >> $GITHUB_OUTPUT
-          ./.github/workflows/scripts/code-artifact.sh token \
-            505071440022 us-west-2 overture-pypi >> $GITHUB_OUTPUT
-          echo EOF >> $GITHUB_OUTPUT
-          echo 'publish_url<<EOF' >> $GITHUB_OUTPUT
-          ./.github/workflows/scripts/code-artifact.sh publish-url \
-            505071440022 us-west-2 overture-pypi overture >> $GITHUB_OUTPUT
-          echo EOF >> $GITHUB_OUTPUT
+          token=$(./.github/workflows/scripts/code-artifact.sh token \
+            505071440022 us-west-2 overture-pypi)
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+          publish_url=$(./.github/workflows/scripts/code-artifact.sh publish-url \
+            505071440022 us-west-2 overture-pypi overture)
+          echo "publish_url=${publish_url}" >> $GITHUB_OUTPUT
 
       - name: Publish package ${{ matrix.package }} version ${{ matrix.after }} to PyPI
+        env:
+          CA_TOKEN: ${{ steps.get-code-artifact-params.outputs.token }}
+          CA_PUBLISH_URL: ${{ steps.get-code-artifact-params.outputs.publish_url }}
         run: |
           package="${{ matrix.package }}"
           before="${{ matrix.before }}"
@@ -91,5 +94,5 @@ jobs:
             exit 1
           fi
           uv publish "$wheel" "$tarball" \
-             -t "${{ steps.get-code-artifact-params.outputs.token }}" \
-            --publish-url "${{ steps.get-code-artifact-params.outputs.publish_url }}"
+             -t "${CA_TOKEN}" \
+            --publish-url "${CA_PUBLISH_URL}"
diff --git a/.github/workflows/reusable-check-python-package-versions.yaml b/.github/workflows/reusable-check-python-package-versions.yaml
@@ -62,20 +62,20 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y jq
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: latest
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.10"
-
       - name: Check out code before change
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.before_commit }}
 
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: .python-version
+
       - name: Sync code before change to make packages visible to Python
         run: uv sync --all-packages
 
@@ -123,20 +123,22 @@ jobs:
         id: get-code-artifact-index-url
         if: steps.save-changes.outputs.num_changed_packages > 0
         run: |
-          echo 'index_url<<EOF' >> $GITHUB_OUTPUT
-          ./.github/workflows/scripts/code-artifact.sh index-url \
+          index_url=$(./.github/workflows/scripts/code-artifact.sh index-url \
             "${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \
-            "${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT
-          echo EOF >> $GITHUB_OUTPUT
+            "${{ inputs.domain }}" "${{ inputs.repository }}")
+          echo "::add-mask::${index_url}"
+          echo "index_url=${index_url}" >> $GITHUB_OUTPUT
 
       - name: Fail if any of the new versions already exist in the repo
         if: steps.save-changes.outputs.num_changed_packages > 0
+        env:
+          INDEX_URL: ${{ steps.get-code-artifact-index-url.outputs.index_url }}
         run: |
           jq -c '.[]' /tmp/package-version-diff.json | while read -r entry; do
             package=$(echo "$entry" | jq -r '.package')
             after=$(echo "$entry" | jq -r '.after')
             exit_code=0
-            output=$(uv run pip download "${package}==${after}" --index-url "${{ steps.get-code-artifact-index-url.outputs.index_url }}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
+            output=$(uv run pip download "${package}==${after}" --index-url "${INDEX_URL}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
             if [[ $exit_code -eq 0 || (
               "${output,,}" != *"could not find a version"* &&
               "${output,,}" != *"no matching distributions"*

diff --git a/.github/workflows/test-schema.yaml b/.github/workflows/test-schema.yaml
@@ -14,12 +14,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: 1.22
-    - name: Install dependencies
-      run: go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest
-    - name: Validate
-      run: ./test.sh
+      - uses: actions/checkout@v6
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 1.22
+
+      - name: Install dependencies
+        run: go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest
+
+      - name: Validate
+        run: ./test.sh
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,3 @@
+# Devops
+
+/.github @lowlydba @overturemaps/omf-public-reviewers
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,7 +9,6 @@ version = "0.0.0"
 [tool.uv.workspace]
 members = ["packages/*"]
 
-
 [tool.ruff]
 line-length = 88
 target-version = "py310"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Devops

		/.github @lowlydba @overturemaps/omf-public-reviewers