openedx · salman2013 · May 18, 2026 · May 18, 2026 · May 18, 2026 · Jun 3, 2026
diff --git a/.coveragerc b/.coveragerc
diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
@@ -6,13 +6,15 @@ on:
   pull_request:
     branches:
       - "**"
+  # Called from release.yml before publishing on push to main.
+  workflow_call:
 
 jobs:
   python-tests:
     name: Run Python Tests and Coverage
     runs-on: ubuntu-latest
-    runs-on: ubuntu-latest
+    name: ${{ matrix.toxenv }}
-    runs-on: ubuntu-latest
+    name: ${{ matrix.toxenv }}
     strategy:
-      fail-fast: true
+      fail-fast: false
       matrix:
         python-version: ["3.12"]
         toxenv: [quality, docs, django42, django52]
@@ -26,13 +28,16 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Install dependencies
-        run: pip install -r requirements/pip-tools.txt tox
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Install CI dependencies
+        run: uv sync --group ci
 
       - name: Run tests with Tox (${{ matrix.toxenv }})
         env:
           TOXENV: ${{ matrix.toxenv }}
-        run: tox
+        run: uv run tox
 
       - name: Upload coverage to Codecov
         if: matrix.python-version == '3.12' && matrix.toxenv == 'django42'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,96 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  run_tests:
+    uses: ./.github/workflows/python-tests.yml
+
+  release:
+    needs: run_tests
+    runs-on: ubuntu-latest
+    if: github.ref_name == 'main'
+    concurrency:
+      group: ${{ github.workflow }}-release-${{ github.ref_name }}
+      cancel-in-progress: false
+
+    permissions:
+      contents: write
+
+    steps:
+      # Checkout at the branch that triggered the workflow, then force-reset to
+      # the exact sha so we don't accidentally release commits that arrived
+      # while this workflow was running.
+      - name: Setup | Checkout Repository on Release Branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.ref_name }}
+
+      - name: Setup | Force release branch to workflow sha
+        run: git reset --hard ${{ github.sha }}
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+
+      - name: Install npm dependencies and build
+        run: |
+          npm ci
+          npm run build
+
+      - name: Action | Semantic Version Release
+        id: release
+        uses: python-semantic-release/python-semantic-release@754a065a2ea187da71977ada6630a8ec0f98e380 # v10.5.3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_committer_name: "github-actions"
+          git_committer_email: "actions@users.noreply.github.com"
+          changelog: "false"
+
+      - name: Publish | Upload to GitHub Release Assets
+        uses: python-semantic-release/publish-action@68eaac9f1f594e9ec4b985245d06355734f43eea # v10.5.3
+        if: steps.release.outputs.released == 'true'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release.outputs.tag }}
+
+      - name: Upload | Distribution Artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: steps.release.outputs.released == 'true'
+        with:
+          name: distribution-artifacts
+          path: dist/
+          if-no-files-found: error
+
+    outputs:
+      released: ${{ steps.release.outputs.released || 'false' }}
+      version: ${{ steps.release.outputs.version }}
+
+  publish_to_pypi:
+    # Separate from the release job for least privilege and retry-ability:
+    # publishing can fail independently and shouldn't require reversing the release.
+    runs-on: ubuntu-latest
+    needs: release
+    if: github.ref_name == 'main' && needs.release.outputs.released == 'true'
+
+    permissions:
+      contents: read
+      id-token: write   # for PyPI OIDC trusted publisher
+
+    steps:
+      - name: Download Distribution Artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: distribution-artifacts
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@7f25271a4aa483500f742f9492b2ab5648d61011 # v1.12.4
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1,7 +1,5 @@
 # --- ROOT FILES ---
-include CHANGELOG.rst LICENSE.txt README.rst
-include requirements/base.in
-include requirements/constraints.txt
+include LICENSE.txt README.rst
 
 # --- PACKAGE DATA ---
 recursive-include xblocks_contrib *.html *.js *.css *.jar *.png *.gif *.jpg *.jpeg *.svg *.yaml *.underscore