Merge branch 'main' into miketheman/valkey-local

Author: miketheman

.git-blame-ignore-revs

@@ -0,0 +1,7 @@
+# .git-blame-ignore-revs
+# Reformatted codebase with black (#3367)
+40fbc32fef7c7ffe41cd18f3f8951578555db1aa
+# Collapsed license headers across codebase (#18217)
+f59df186dc62274b5831a72f639a1e92bbe3f94c
+# Reformatted templates with djlint (#18266)
+65f7039c1273ad54163cc3d4e01dc0803c87931a

.github/workflows/ci.yml

@@ -29,7 +29,7 @@ jobs:
         uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
       - name: Build image
         id: build
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
         with:
           save: true
           build-args: |
@@ -68,7 +68,7 @@ jobs:
       id-token: write
     services:
       postgres:
-        image: ${{ (matrix.name == 'Tests') && 'postgres:16.1' || '' }}
+        image: ${{ (matrix.name == 'Tests') && 'postgres:17.5' || '' }}
         ports:
           - 5432:5432
         env:
@@ -111,7 +111,7 @@ jobs:
       id-token: write
     services:
       postgres:
-        image: postgres:16.1
+        image: postgres:17.5
         ports:
         - 5432:5432
         env:
@@ -133,6 +133,8 @@ jobs:
           path: dev/environment
           export-variables: true
           keys-case: upper
+      - name: Install jq
+        run: apt-get update && apt-get install -y jq
       - name: Check Database
         run: bin/db-check
         env:

.github/workflows/codeql-analysis.yml

@@ -54,7 +54,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+      uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+      uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+      uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/node-ci.yml

@@ -32,7 +32,7 @@ jobs:
             persist-credentials: false
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: 24.0.0
+          node-version: 24.4.0
           cache: 'npm'
       - name: Install Node dependencies
         run: npm ci

.github/workflows/zizmor.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Run zizmor
         run: pipx run zizmor --format sarif . > results.sarif
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.python-version

@@ -1 +1 @@
-3.13.2
+3.13.5

Dockerfile

@@ -1,6 +1,9 @@
+# Set variables reused in Dockerfile
+ARG PYTHON_IMAGE_VERSION=3.13.5-slim-bookworm
+
 # First things first, we build an image which is where we're going to compile
 # our static assets with. We use this stage in development.
-FROM node:24.0.0-bookworm AS static-deps
+FROM node:24.4.1-bookworm AS static-deps
 
 WORKDIR /opt/warehouse/src/
 
@@ -38,7 +41,7 @@ RUN NODE_ENV=production npm run build
 
 
 # We'll build a light-weight layer along the way with just docs stuff
-FROM python:3.13.2-slim-bookworm AS docs
+FROM python:${PYTHON_IMAGE_VERSION} AS docs
 
 # By default, Docker has special steps to avoid keeping APT caches in the layers, which
 # is good, but in our case, we're going to mount a special cache volume (kept between
@@ -47,14 +50,22 @@ RUN set -eux; \
     rm -f /etc/apt/apt.conf.d/docker-clean; \
     echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache;
 
-# Install System level build requirements, this is done before
-# everything else because these are rarely ever going to change.
+# Install System level build requirements, this is done before everything else
+# because these are rarely ever going to change.
+# Usages:
+#  - build-essential: make
+#  - git: mkdocs plugin uses this for created/updated
+#  - libcairo2: mkdocs uses cairosvg
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     set -x \
     && apt-get update \
     && apt-get install --no-install-recommends -y \
-        build-essential git libcairo2-dev libfreetype6-dev libjpeg-dev libpng-dev libz-dev
+       build-essential \
+       git \
+       libcairo2 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # We create an /opt directory with a virtual environment in it to store our
 # application in.
@@ -105,7 +116,7 @@ USER docs
 
 # Now we're going to build our actual application, but not the actual production
 # image that it gets deployed into.
-FROM python:3.13.2-slim-bookworm AS build
+FROM python:${PYTHON_IMAGE_VERSION} AS build
 
 # Define whether we're building a production or a development image. This will
 # generally be used to control whether or not we install our development and
@@ -121,23 +132,6 @@ ARG CI=no
 # i.e. 'docker compose run --rm web python -m warehouse shell --type=ipython')
 ARG IPYTHON=no
 
-# By default, Docker has special steps to avoid keeping APT caches in the layers, which
-# is good, but in our case, we're going to mount a special cache volume (kept between
-# builds), so we WANT the cache to persist.
-RUN set -eux; \
-    rm -f /etc/apt/apt.conf.d/docker-clean; \
-    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache;
-
-# Install System level Warehouse build requirements, this is done before
-# everything else because these are rarely ever going to change.
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    set -x \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y \
-        build-essential libffi-dev libxml2-dev libxslt-dev libpq-dev libcurl4-openssl-dev libssl-dev \
-        $(if [ "$DEVEL" = "yes" ]; then echo 'libjpeg-dev'; fi)
-
 # We create an /opt directory with a virtual environment in it to store our
 # application in.
 RUN set -x \
@@ -187,7 +181,7 @@ RUN --mount=type=cache,target=/root/.cache/pip \
 
 # Now we're going to build our actual application image, which will eventually
 # pull in the static files that were built above.
-FROM python:3.13.2-slim-bookworm
+FROM python:${PYTHON_IMAGE_VERSION}
 
 # Setup some basic environment variables that are ~never going to change.
 ENV PYTHONUNBUFFERED 1
@@ -205,23 +199,31 @@ ARG DEVEL=no
 # as well for the matrix!
 ARG CI=no
 
-# This is a work around because otherwise postgresql-client bombs out trying
-# to create symlinks to these directories.
-RUN set -x \
-    && mkdir -p /usr/share/man/man1 \
-    && mkdir -p /usr/share/man/man7
+# By default, Docker has special steps to avoid keeping APT caches in the layers, which
+# is good, but in our case, we're going to mount a special cache volume (kept between
+# builds), so we WANT the cache to persist.
+RUN set -eux; \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache;
 
 # Install System level Warehouse requirements, this is done before everything
 # else because these are rarely ever going to change.
+# Usages:
+#  - build-essential: make
+#  - postgresql-client: make initdb and friends
+#  - oathtool: make totp
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     set -x \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y \
-        libpq5 libxml2 libxslt1.1 libcurl4  \
-        $(if [ "$DEVEL" = "yes" ]; then echo 'bash libjpeg62 postgresql-client build-essential libffi-dev libxml2-dev libxslt-dev libpq-dev libcurl4-openssl-dev libssl-dev vim oathtool'; fi) \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && if [ "$DEVEL" = "yes" ]; then \
+        apt-get update \
+        && apt-get install --no-install-recommends -y \
+           build-essential \
+           postgresql-client \
+           oathtool \
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \
+    fi
 
 # Copy the directory into the container, this is done last so that changes to
 # Warehouse itself require the least amount of layers being invalidated from
@@ -236,4 +238,4 @@ COPY . /opt/warehouse/src/
 RUN tldextract --update
 # Load our module to pre-compile as much bytecode as we can easily.
 # Saves time collectively on container boot!
-RUN python -m warehouse
+RUN python -m warehouse db -h

babel.config.js

@@ -1,15 +1,4 @@
-/* Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* SPDX-License-Identifier: Apache-2.0 */
 
 module.exports = {
   presets: [['@babel/preset-env', {targets: {node: 'current'}}]],

bin/db-check

@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e
+set -ex
 
 # When on GitHub Actions, if a label is present on the PR, skip the check.
 if [ -n "$GITHUB_ACTIONS" ]; then

bin/depchecker.py

@@ -1,14 +1,4 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.import sys
+# SPDX-License-Identifier: Apache-2.0
 
 import sys