build: v1.1 by jirhiker · Pull Request #709 · DataIntegrationGroup/OcotilloAPI

jirhiker · 2026-06-08T19:55:48Z

Why

This PR addresses the following problem / context:

Use bullet points here

How

Implementation summary - the following was changed / added / removed:

Use bullet points here

Notes

Any special considerations, workarounds, or follow-up work to note?

Use bullet points here

The legacy Location.csv has a SiteNames column that was never transferred into the ThingIdLink table. This left site_name null for all wells in the API response. The script reads SiteNames from the CSV and inserts NMBGMR ThingIdLink rows for all matched wells. It is idempotent and safe to re-run after future well transfers.

Org-only contacts (no personal name) were returning a null label in search results. Use c.name or c.organization so those contacts appear with their organization name instead of a blank title.

PointID is not unique across all rows in Location.csv (MB-1005 appears twice with different SiteNames). Switch to matching LocationId against Thing.nma_pk_location, which is the UUID primary key from NM_Aquifer and has higher fidelity. Suggested by jacob-a-brown in PR #668.

…ntact-Names Fall back to organization name for org-only contacts in search

…script BDMS-787 site_name script

Added Cerro MDWCA, White Oaks Pottery, and El Rito MDWCA sa organizations to support the well inventory ingestion on 2026-05-01.

…ations Add new organization terms for well inventory ingestion

Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.26 to 0.0.27. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.26...0.0.27) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.11 to 1.3.12. - [Release notes](https://github.com/sqlalchemy/mako/releases) - [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/mako/commits) --- updated-dependencies: - dependency-name: mako dependency-version: 1.3.12 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [authlib](https://github.com/authlib/authlib) from 1.6.11 to 1.6.12. - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/1.6.12/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.11...1.6.12) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.6.12 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

NO TICKET: Add new required env to .env.example

Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.11...v3.15) --- updated-dependencies: - dependency-name: idna dependency-version: '3.15' dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ge of Hope, and WSP

…for-well-inventory-ingestion-20260526 feat(lexicon): add new organization terms in support of the 2026-05-26 well inventory ingestion

…679) Bumps the gha-minor-and-patch group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6.0.2...v6.0.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gha-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary Adopt the Data Services Versioning Standard on OcotilloAPI. Wires release-please + tag-triggered deploy per spec §§5–10. - Bump `pyproject.toml` to **1.0.0**, add `.release-please-manifest.json` + `release-please-config.json`. - Add `release-please` workflow watching `production` and `hotfix/v*`. - Add `hotfix-start` workflow (`workflow_dispatch`) that branches `hotfix/vX.Y.(Z+1)` off the latest (or specified) `v*.*.*` tag. - Add PR title lint (Conventional Commits). - Retarget `CD (Production)` to fire on `v*.*.*` tag push (no more push-to-branch deploys); drop the self-tagging step; inject `APP_VERSION` into App Engine env. - Surface version: `Settings.version` reads `APP_VERSION` env, falls back to `importlib.metadata.version("OcotilloAPI")`. Public OpenAPI uses `settings.version` (was hardcoded `0.0.1`). New `/health` returns `{status, version}`. - Remove obsolete Sentry release workflow. ## Why Implements the Data Services Versioning Standard. Pins the public contract at **1.0.0** so SemVer rules engage going forward. ## Release flow after merge 1. Merge this PR to `staging` (CD Staging deploys to staging env as usual). 2. Open separate `staging` -> `production` promotion PR when ready to cut 1.0.0. 3. On merge to `production`, `release-please` opens a Release PR titled `chore(production): release 1.0.0`. 4. Merge the Release PR -> `v1.0.0` tag + GitHub Release created automatically. 5. Tag push fires `CD (Production)` -> Alembic migrations + App Engine deploy. ## Follow-up (manual, not in this PR) - Apply branch protection on `production` (required reviews + status checks). Squash-only merge is already enforced at the repo level. ## Test plan - [ ] CI: `pr-title-lint` passes. - [ ] CI: `unit-tests` / `bdd-tests` pass against the new `/health` endpoint + `settings.version` change. - [ ] Local: `curl localhost:8000/health` returns `{"status":"ok","version":"1.0.0"}`. - [ ] After staging deploy: hit the staging `/health` and confirm version field present. - [ ] After staging -> production promotion: `release-please` Release PR appears on `production`. - [ ] After Release PR merge: `v1.0.0` tag exists, `CD (Production)` succeeds, prod `/health` returns the tagged version. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.4&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/DataIntegrationGroup/OcotilloAPI/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…load (BDMS-828) (#683) Adds a single endpoint that uploads a digital asset to GCS and records it in the database in one step. Accepts multipart/form-data with the file, a required thing_id, and optional label/name fields. ### **Why** - The existing API required two separate calls to upload a photo: `POST /asset/upload` (GCS only) then `POST /asset` (DB only), forcing the UI to chain requests and handle intermediate state - The ticket requires a single endpoint where the back-end handles both the GCS upload and database record creation atomically ### **How** - Added `POST /asset/upload-and-record` to `api/asset.py` with multipart form fields: `file` (required), `thing_id` (required), `label` and `name` (optional) - Validates file type before uploading — accepts JPEG, PNG, GIF, WebP, TIFF, PDF, and plain text; rejects all others with 400 - Enforces a 250 MB size limit with 400 on violation - Guards against duplicate uploads — if the same file is re-uploaded for the same Thing, the existing asset record is returned instead of creating a duplicate - Creates `Asset` DB record and `AssetThingAssociation` in one transaction using existing `gcs_upload`, `check_asset_exists`, and `audit_add` helpers - Fixed a pre-existing bug in `audit_helper.py` where `AUTHENTIK_DISABLE_AUTHENTICATION=1` caused a `TypeError` by returning `True` instead of a user claims dict ### **Notes** - The `audit_helper.py` fix affects all endpoints that call `audit_add`, not just this one — it is a defensive guard (`isinstance(user, dict)`) that is a no-op in production where auth is always enabled - The existing `/asset/upload` and `POST /asset` two-step endpoints are unchanged and still available - 649 tests passing, 0 failures - Manually tested via Swagger (`/docs-auth`) — uploaded a JPEG (88,964 bytes), file was stored in GCS as `test_49e37e503db40eeb09e1e4d0f7c76c8c.JPG`, DB record created with id=1, uri=https://storage.cloud.google.com/ocotillo/uploads/test_49e37e503db40eeb09e1e4d0f7c76c8c.JPG, release_status=draft, storage_service=gcs Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.32.0 to 21.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/virtualenv/releases">virtualenv's releases</a>.</em></p> <blockquote> <h2>21.2.0</h2>  <h2>What's Changed</h2> <ul> <li>Move SECURITY.md to .github/SECURITY.md by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3077">pypa/virtualenv#3077</a></li> <li>Standardize .github files to .yaml suffix by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3079">pypa/virtualenv#3079</a></li> <li>Add type annotations to embed wheel generator output by <a href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3085">pypa/virtualenv#3085</a></li> <li>fix broken README heading introduced in docs restructure by <a href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3088">pypa/virtualenv#3088</a></li> <li>🐛 fix(bash): use BASH_SOURCE in activate relocation by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3091">pypa/virtualenv#3091</a></li> <li>🐛 fix(create): prevent venv from racing virtualenv on gitignore creation by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3092">pypa/virtualenv#3092</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.1.0...21.2.0">https://github.com/pypa/virtualenv/compare/21.1.0...21.2.0</a></p> <h2>21.1.0</h2>  <h2>What's Changed</h2> <ul> <li>add comprehensive type annotations across the entire codebase by <a href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3076">pypa/virtualenv#3076</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.0.0...21.1.0">https://github.com/pypa/virtualenv/compare/21.0.0...21.1.0</a></p> <h2>21.0.0</h2>  <h2>What's Changed</h2> <ul> <li>♻️ refactor(discovery): extract py_discovery as self-contained package by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3070">pypa/virtualenv#3070</a></li> <li>📝 docs(changelog): add removal entry for python-discovery extraction by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3074">pypa/virtualenv#3074</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/20.39.1...21.0.0">https://github.com/pypa/virtualenv/compare/20.39.1...21.0.0</a></p> <h2>20.39.1</h2>  <h2>What's Changed</h2> <ul> <li>Align dependency versions across projects by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3069">pypa/virtualenv#3069</a></li> <li>✨ feat(create): add RustPython support by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3071">pypa/virtualenv#3071</a></li> <li>🐛 fix(create): add pythonw3.exe to Windows venvs by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3073">pypa/virtualenv#3073</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/20.39.0...20.39.1">https://github.com/pypa/virtualenv/compare/20.39.0...20.39.1</a></p> <h2>20.39.0</h2>  <h2>What's Changed</h2> <ul> <li>Move from extras to dependency-groups by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3056">pypa/virtualenv#3056</a></li> <li>🐛 fix(sdist): include tox.toml in sdist by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3063">pypa/virtualenv#3063</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's changelog</a>.</em></p> <blockquote> <h1>Features - 21.2.0</h1> <ul> <li>Update embed wheel generator (<code>tasks/upgrade_wheels.py</code>) to include type annotations in generated output - by :user:<code>rahuldevikar</code>. (:issue:<code>3075</code>)</li> </ul> <h1>Bugfixes - 21.2.0</h1> <ul> <li>Pass <code>--without-scm-ignore-files</code> to subprocess venv on Python 3.13+ so virtualenv controls <code>.gitignore</code> creation, fixing flaky <code>test_create_no_seed</code> and <code>--no-vcs-ignore</code> being ignored in subprocess path - by :user:<code>gaborbernat</code>. (:issue:<code>3089</code>)</li> <li>Use <code>BASH_SOURCE[0]</code> instead of <code>$0</code> in the bash activate script relocation fallback, fixing incorrect <code>PATH</code> when sourcing the activate script from a different directory - by :user:<code>gaborbernat</code>. (:issue:<code>3090</code>)</li> </ul> <hr /> <p>v21.1.0 (2026-02-27)</p> <hr /> <h1>Features - 21.1.0</h1> <ul> <li>Add comprehensive type annotations across the entire codebase and ship a PEP 561 <code>py.typed</code> marker so downstream consumers and type checkers recognize virtualenv as an inline-typed package - by :user:<code>rahuldevikar</code>. (:issue:<code>3075</code>)</li> </ul> <hr /> <p>v21.0.0 (2026-02-25)</p> <hr /> <h1>Deprecations and Removals - 21.0.0</h1> <ul> <li>The Python discovery logic has been extracted into a standalone <code>python-discovery</code> package on PyPI (<code>documentation <https://python-discovery.readthedocs.io/></code>_) and is now consumed as a dependency. If you previously imported discovery internals directly (e.g. <code>from virtualenv.discovery.py_info import PythonInfo</code>), switch to <code>from python_discovery import PythonInfo</code>. Backward-compatibility re-export shims are provided at <code>virtualenv.discovery.py_info</code>, <code>virtualenv.discovery.py_spec</code>, and <code>virtualenv.discovery.cached_py_info</code>, however these are considered unsupported and may be removed in a future release - by :user:<code>gaborbernat</code>. (:issue:<code>3070</code>)</li> </ul> <hr /> <p>v20.39.1 (2026-02-25)</p> <hr /> <h1>Features - 20.39.1</h1> <ul> <li>Add support for creating virtual environments with RustPython - by :user:<code>elmjag</code>. (:issue:<code>3010</code>)</li> </ul> <hr />  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/virtualenv/commit/0b6f4445da2560cb11c4808ead464d94ffdf1b05"><code>0b6f444</code></a> release 21.2.0</li> <li><a href="https://github.com/pypa/virtualenv/commit/e1af35dc7808e75410c55490c35421f461af2920"><code>e1af35d</code></a> 🐛 fix(create): prevent venv from racing virtualenv on gitignore creation (<a href="https://redirect.github.com/pypa/virtualenv/issues/3092">#3092</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/f05bf08f6e2b6fe313aa7378475a30d6151180e2"><code>f05bf08</code></a> 🐛 fix(bash): use BASH_SOURCE in activate relocation (<a href="https://redirect.github.com/pypa/virtualenv/issues/3091">#3091</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/0cd0e09526863f46f91a4afc057f179fdacf3878"><code>0cd0e09</code></a> fix broken README heading introduced in docs restructure (<a href="https://redirect.github.com/pypa/virtualenv/issues/3088">#3088</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/b7ab17e4739322cf2793ff348e8b2c15c6ebcffe"><code>b7ab17e</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/pypa/virtualenv/issues/3087">#3087</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/f2062bc8ece1d142523209af4785d302f83e6807"><code>f2062bc</code></a> chore(deps): bump astral-sh/setup-uv from 4 to 7 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3086">#3086</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/eb27e55d716d8836b24296efa3a73b98ff1b29e8"><code>eb27e55</code></a> Add type annotations to embed wheel generator output (<a href="https://redirect.github.com/pypa/virtualenv/issues/3085">#3085</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/fbb3bd183f2f98bfa68211e014db8995dae64b79"><code>fbb3bd1</code></a> chore(deps): bump peter-evans/create-pull-request from 7 to 8 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3081">#3081</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/a1d3963f1c078a2a7b56af14cf824e254531de65"><code>a1d3963</code></a> chore(deps): bump actions/setup-python from 5 to 6 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3080">#3080</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/e768d5632065d45a06c4d2e99610e1c92a267166"><code>e768d56</code></a> chore(deps): bump actions/upload-artifact from 4 to 7 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3082">#3082</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pypa/virtualenv/compare/20.32.0...21.2.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=virtualenv&package-manager=uv&previous-version=20.32.0&new-version=21.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 8.7.1 to 9.0.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/python/importlib_metadata/blob/main/NEWS.rst">importlib-metadata's changelog</a>.</em></p> <blockquote> <h1>v9.0.0</h1> <h2>Deprecations and Removals</h2> <ul> <li>Added <code>MetadataNotFound</code> (subclass of <code>FileNotFoundError</code>) and updated <code>Distribution.metadata</code>/<code>metadata()</code> to raise it when the metadata files are missing instead of returning <code>None</code><code>python/cpython#143387</code><a href="https://redirect.github.com/python/importlib_metadata/issues/532">#532</a>)</li> </ul> <h1>v8.9.0</h1> <h2>Features</h2> <ul> <li><code>python/cpython#110937</code><a href="https://redirect.github.com/python/cpython/issues/140141">python/cpython#140141</a>, <a href="https://redirect.github.com/python/cpython/issues/143658">python/cpython#143658</a>)</li> </ul> <h1>v8.8.0</h1> <h2>Features</h2> <ul> <li>Removed Python 3.9 compatibility.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/python/importlib_metadata/commit/a9f883fef337c667a81a987bc0cbc0dbb43b2bfe"><code>a9f883f</code></a> Finalize</li> <li><a href="https://github.com/python/importlib_metadata/commit/9b0dfdfe2e187dca6644007570189aadc6c97a34"><code>9b0dfdf</code></a> Raise an exception when no metadata file is found (<a href="https://redirect.github.com/python/importlib_metadata/issues/532">#532</a>)</li> <li><a href="https://github.com/python/importlib_metadata/commit/0f2229ca84f20be2ceaaa4c62a276fa9b003f5bc"><code>0f2229c</code></a> Merge branch 'main' into feature/no-metadata-exception</li> <li><a href="https://github.com/python/importlib_metadata/commit/2f4088e490a73ac7f39b86214d2da16d2eb1ff39"><code>2f4088e</code></a> Remove news fragments about internal details.</li> <li><a href="https://github.com/python/importlib_metadata/commit/0ac27203f8044daf634c22f385838122a0707449"><code>0ac2720</code></a> Add news fragment.</li> <li><a href="https://github.com/python/importlib_metadata/commit/a5c2154835facb4a9d0a6f5b3aac1f3d1ff86170"><code>a5c2154</code></a> Finalize</li> <li><a href="https://github.com/python/importlib_metadata/commit/e66e22634f7522e7778b66e8a8b19782a11d4943"><code>e66e226</code></a> Drop support for EOL Python 3.9 (<a href="https://redirect.github.com/python/importlib_metadata/issues/530">#530</a>)</li> <li><a href="https://github.com/python/importlib_metadata/commit/6027933ae96c9e51dd0b7ce392cb30f6fcae1940"><code>6027933</code></a> Add news fragment.</li> <li><a href="https://github.com/python/importlib_metadata/commit/b89388a53bf857127e0a6860dfcfe2cd69a79ab8"><code>b89388a</code></a> Import os_helper directly.</li> <li><a href="https://github.com/python/importlib_metadata/commit/2dcb761d940b0115b786ab3b6f336af7d94630f4"><code>2dcb761</code></a> Add uniform exclusions for test.support.</li> <li>Additional commits viewable in <a href="https://github.com/python/importlib_metadata/compare/v8.7.1...v9.0.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=importlib-metadata&package-manager=uv&previous-version=8.7.1&new-version=9.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…inor-and-patch group (#687) Bumps the gha-minor-and-patch group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv). Updates `astral-sh/setup-uv` from 8.1.0 to 8.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/setup-uv/releases">astral-sh/setup-uv's releases</a>.</em></p> <blockquote> <h2>v8.2.0 🌈 New inputs <code>quiet</code> and <code>download-from-astral-mirror</code></h2> <h2>Changes</h2> <p>This release brings two new inputs and a few bug fixes.</p> <h3>New inputs</h3> <p>Lets talk about the new inputs first.</p> <h4>quiet</h4> <p>Pretty simple. It turns of all <code>info</code> loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise"</p> <blockquote> <p>[!NOTE]<br /> Warnings and errors are always logged.</p> </blockquote> <h4>download-from-astral-mirror</h4> <p>In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting <code>download-from-astral-mirror: false</code> allows you to do that.</p> <h3>Bugfixes</h3> <p>When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.</p> <p>We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.</p> <h2>🐛 Bug fixes</h2> <ul> <li>fix: report unexpected cache save failures <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/896">#896</a>)</li> <li>fix: report unexpected setup failures <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/895">#895</a>)</li> <li>fix: add timeout to fetch to prevent silent hangs <a href="https://github.com/eifinger-bot"><code>@eifinger-bot</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/883">#883</a>)</li> <li>Limit GitHub tokens to github.com download URLs <a href="https://github.com/zsol"><code>@zsol</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/878">#878</a>)</li> <li>increase libuv-workaround timeout to 100ms <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/880">#880</a>)</li> </ul> <h2>🚀 Enhancements</h2> <ul> <li>Add quiet input to suppress info-level log output <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/898">#898</a>)</li> <li>feat: add <code>download-from-astral-mirror</code> input <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/897">#897</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>docs: update dependabot rollup biome guidance <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/902">#902</a>)</li> <li>chore: update known checksums for 0.11.18 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/899">#899</a>)</li> <li>chore: update known checksums for 0.11.17 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/892">#892</a>)</li> <li>chore: update known checksums for 0.11.16 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/889">#889</a>)</li> <li>chore: update known checksums for 0.11.15 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/885">#885</a>)</li> <li>chore: update known checksums for 0.11.14 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/879">#879</a>)</li> <li>chore: update known checksums for 0.11.13 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/877">#877</a>)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/setup-uv/commit/fac544c07dec837d0ccb6301d7b5580bf5edae39"><code>fac544c</code></a> chore(deps): roll up dependabot updates (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/903">#903</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/7390f777b051d6c47c9cb905ff80e7d5d85a7068"><code>7390f77</code></a> docs: update dependabot rollup biome guidance (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/902">#902</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/363c64a728451954156ddb9e3f368b879eeee5da"><code>363c64a</code></a> chore(deps): roll up dependabot updates (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/901">#901</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/c4fcbafce4f941a09e04c45c42db7a2e3ba5cd91"><code>c4fcbaf</code></a> chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/900">#900</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/8e642c5e623b521f8b6b15bbc2ba54bae583fe45"><code>8e642c5</code></a> chore: update known checksums for 0.11.18 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/899">#899</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/a92cb430984b4b2b34c9c47e020cf035089958fa"><code>a92cb43</code></a> Add quiet input to suppress info-level log output (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/898">#898</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/e07f2ac4b796a5fa8dc51ebf0a5187d0463eb4d6"><code>e07f2ac</code></a> chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/842">#842</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/bc4034eedf3a6f77238660a28089c6b201eae39f"><code>bc4034e</code></a> chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/893">#893</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/df42d4f6ba41cdcf6eda832c32439db37cc28b39"><code>df42d4f</code></a> chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/891">#891</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/b9c8c4c7baf912cbda30843477d08b3f63b0f660"><code>b9c8c4c</code></a> feat: add <code>download-from-astral-mirror</code> input (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/897">#897</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=astral-sh/setup-uv&package-manager=github_actions&previous-version=8.1.0&new-version=8.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

### Why - Resolve conflicts blocking [#695](#695) (Release PR v1.1, staging → production). ### How - Merged `origin/production` into `staging`. - Resolved conflicts in `pyproject.toml`, `requirements.txt`, `uv.lock`, `.github/workflows/pr-title-lint.yml`, `.github/workflows/release-please.yml` by keeping the newer staging versions (authlib 1.7.2, idna 3.18, semantic-pull-request@v6, release-please-action@v5). - `uv lock --check` passes. ### Notes - Merge once green to clear PR #695. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jacob Brown <29125483+jacob-a-brown@users.noreply.github.com> Co-authored-by: Jeremy Zilar <jeremyzilar@gmail.com> Co-authored-by: jeremyzilar <395641+jeremyzilar@users.noreply.github.com> Co-authored-by: Jeremy Zilar <jeremy.zilar@lakeraven.com> Co-authored-by: Kelsey Smuczynski <ksmuczynski@gmail.com> Co-authored-by: Tyler Adam Martinez <TylerAdamMartinez@outlook.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

### Why - Re-resolve conflicts blocking [#695](#695). [#696](#696) was squash-merged, which stripped the merge commit, so `production` is still not an ancestor of `staging` and PR #695 re-reports CONFLICTING. ### How - Real merge commit of `origin/production` into `staging`. - Same resolutions as #696: keep staging versions (authlib 1.7.2, idna 3.18, semantic-pull-request@v6, release-please-action@v5). - `uv lock --check` passes. ### Notes - **MUST be merged via "Create a merge commit"** — not squash, not rebase. Squashing this PR again will reproduce the same conflict on #695. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jacob Brown <29125483+jacob-a-brown@users.noreply.github.com> Co-authored-by: Jeremy Zilar <jeremyzilar@gmail.com> Co-authored-by: jeremyzilar <395641+jeremyzilar@users.noreply.github.com> Co-authored-by: Jeremy Zilar <jeremy.zilar@lakeraven.com> Co-authored-by: Kelsey Smuczynski <ksmuczynski@gmail.com> Co-authored-by: Tyler Adam Martinez <TylerAdamMartinez@outlook.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

) ### Why - `POST /asset/upload-and-record` uploaded the file to GCS *before* calling `session.get(Thing, thing_id)`. When `thing_id` was invalid, the endpoint then raised 409 and returned — leaving an orphaned object in GCS with no `Asset` row pointing at it. - Affects otherwise valid multipart uploads that reference a nonexistent `thing_id`. ### How - Moved the `Thing` lookup ahead of `gcs_upload` in [api/asset.py:242](api/asset.py:242). - Numbered comment-section ordering updated accordingly. ### Notes - Existing test `test_upload_and_record_asset_bad_thing_id` ([tests/test_asset.py:452](tests/test_asset.py:452)) still asserts the same 409 contract. - No GCS-orphan assertion added — would require mocking `gcs_upload` to confirm it isn't called; current test suite doesn't reach actual GCS in CI. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

# Conflicts: # .github/workflows/pr-title-lint.yml # .github/workflows/release-please.yml # pyproject.toml # requirements.txt # uv.lock

Switch the workflow trigger from push of v*.*.* tags to the GitHub release `published` event so production only deploys when a release is actually cut (e.g. via release-please), not on every matching tag push. Check out the release tag explicitly and use github.event.release.tag_name for APP_VERSION since github.ref on a release event points to the default branch, not the tag. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…to-staging-3 chore: merge production into staging (real merge commit)

Preserve the safety rail the previous push.tags trigger provided. A release.published event will fire for any tag, so add: - job-level if: startsWith(tag, 'v') as a cheap pre-filter - first-step bash regex (^v[0-9]+\.[0-9]+\.[0-9]+(-.+|[a-z].*)?$) that fails the run on a mismatch Matches the original v*.*.*, v*.*.*-*, v*.*.*[a-z]* patterns so an ad-hoc release on a non-version tag no longer deploys to production. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

actions/checkout's ref accepts ambiguous short names. If a branch were ever created with the same name as a release tag, the deploy would check out the branch instead of the tagged commit. Use the fully-qualified refs/tags/<tag> form to remove the ambiguity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…-release-published ci: trigger CD (Production) on release publish

### Why - `test_associate_assets_command_calls_service` fails: `AttributeError: 'CliRunner' object has no attribute 'isolated_filesystem'` - Click's `CliRunner` dropped the `isolated_filesystem()` context manager in the version now resolved. ### How - Use the pytest `tmp_path` fixture to create the `asset_import_batch` dir, matching the pattern other tests in this file already use ([tests/test_cli_commands.py:257](tests/test_cli_commands.py:257)). - Black additionally normalized one unrelated `textwrap.dedent` block in `test_water_levels_cli_persists_observations` (pre-existing format drift the pre-commit hook fixed). ### Notes - Local run still blocked by Postgres auth in dev `.env`; CI exercises it. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: jirhiker <2035568+jirhiker@users.noreply.github.com>

### Why Two related groups of fixes, combined here (asset changes migrated from #701, which is now closed): **CD workflow indentation** - `steps:` blocks in `CD_staging.yml`, `CD_production.yml`, `CD_testing.yml` had list items at the same column as `steps:`. Valid YAML but unconventional; confused review tooling. **Asset upload orphan-blob safety** (`POST /asset/upload-and-record`) - File was uploaded to GCS before validating `thing_id` and before the DB write; a failure left an orphaned blob with no Asset row. ### How **Workflows** - Reindent all three CD workflows to standard 2-space style (`git diff -w` ≈ no-op on deploy logic). - Join a broken multi-line `git tag -m "..."` in CD_testing.yml. - Includes Copilot autofix commits on the workflow files. **Asset upload** - `gcs_upload` now returns `(uri, blob_name, created)`; `created=False` on hash-dedup hit. All callers updated. - On DB-write failure: rollback, then delete the blob **only** when this request created it AND no Asset row still references it (blobs are content-hash-named and can be shared across Things). - Entire cleanup path wrapped so rollback / reference-query / delete failures are logged but never mask the original commit exception. - `session.refresh()` moved outside the cleanup block (post-commit; must not trigger deletion). - 3 new tests in `tests/test_asset.py` cover the failure paths. ### Notes - **Merge with "Create a merge commit"** if it touches release flow; otherwise standard squash is fine since this is a feature branch into staging. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

### Why - Deploy buildpack fails: ``` ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not: joserfc>=1.6.0 ... (from authlib==1.7.2->-r requirements.txt (line 225)) ``` - authlib `1.6.x → 1.7.2` added **joserfc** as a new runtime dependency. The lockfile bump updated `uv.lock` / `pyproject.toml` but `requirements.txt` was not regenerated, so joserfc was missing. pip then resolved it transitively as the unpinned `joserfc>=1.6.0`, which `--require-hashes` rejects. ### How - Add `joserfc==1.7.1` with its sdist + `py3-none-any` wheel hashes copied from `uv.lock`. Pure-python wheel → platform-independent, so both hashes are complete. - Verified joserfc is the **only** non-dev dependency present in `uv.lock` but missing from `requirements.txt` (all other gaps are dev-group deps excluded by `--no-dev`). ### Notes - Surgical one-package insert rather than a full `uv export` regen (local uv 0.9.7 emits a different per-platform hash set than CI, which would churn ~1000 lines). - **Production is currently broken by this** — staging→production release will carry the fix; if production needs it sooner, cherry-pick to a `hotfix/v*` branch. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…y) (#705) ### Why Deploy buildpack fails again — next unpinned transitive after the joserfc fix ([#704](#704)): ``` ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not: python-discovery>=1.4 (from virtualenv==21.4.2->-r requirements.txt (line 2393)) ``` Root cause: `pre-commit` was listed in main `[project.dependencies]`, so it (and its whole toolchain — virtualenv, identify, nodeenv, cfgv, distlib, platformdirs) shipped to production. `virtualenv 21.x` introduced the unpinned transitive `python-discovery>=1.4`, which pip `--require-hashes` rejects. ### How - Move `pre-commit` from `[project.dependencies]` → `[dependency-groups] dev`. It's a dev-only tool, never imported by app code. - `uv lock` + `uv export --no-dev` regenerate the lock and requirements. - Result: pre-commit + entire chain (incl. virtualenv → python-discovery) removed from the production requirement set. ### Verification - Every non-dev package in `uv.lock` is still pinned + hashed in `requirements.txt`; only dev-group deps are absent. - Confirmed the linux `cp313` x86_64 wheels the buildpack installs are present (checked yarl). - `uv lock --check` passes. ### Notes - Large `requirements.txt` churn: besides removing the pre-commit chain, local `uv 0.9.7` emits only the py3.13-relevant wheel hashes (lock `requires-python >=3.13`) vs the old broader set. Functionally complete for the deploy target; CD regenerates with the same `uv export --no-dev` anyway. - `uv.lock` `revision` bumped 2 → 3 by uv; CD uses `setup-uv` latest (forward-compatible). - Unblocks the release build on [#695](#695) once merged to staging. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Bumps [ecdsa](https://github.com/tlsfuzzer/python-ecdsa) from 0.19.1 to 0.19.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tlsfuzzer/python-ecdsa/releases">ecdsa's releases</a>.</em></p> <blockquote> <h2>0.19.2</h2> <p>Bug fixes:</p> <ul> <li>Fix CVE-2026-33936, a DER parsing issue in <code>remove_octet_string()</code>, <code>remove_constructed()</code>, and <code>remove_implitic()</code> where a truncated buffer wasn't detected. This can lead to high level functions, like <code>SigningKey.from_der()</code> to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))</li> </ul> <p>Maintenance:</p> <ul> <li>Update CI to use newer version of Ubuntu.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tlsfuzzer/python-ecdsa/blob/master/NEWS">ecdsa's changelog</a>.</em></p> <blockquote> <ul> <li>Release 0.19.2 (26 Mar 2026)</li> </ul> <p>Bug fixes:</p> <ul> <li>Fix CVE-2026-33936, a DER parsing issue in <code>remove_octet_string()</code>, <code>remove_constructed()</code>, and <code>remove_implitic()</code> where a truncated buffer wasn't detected. This can lead to high level functions, like <code>SigningKey.from_der()</code> to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))</li> </ul> <p>Maintenance:</p> <ul> <li> <p>Update CI to use newer version of Ubuntu.</p> </li> <li> <p>Release 0.19.1 (13 Mar 2025)</p> </li> </ul> <p>New API:</p> <ul> <li><code>der.remove_implitic</code> and <code>der.encode_implicit</code> for decoding and encoding DER IMPLICIT values with custom tag values and arbitrary classes</li> </ul> <p>Bug fixes:</p> <ul> <li>Minor fixes around arithmetic with curves that have non-prime order (useful for experimentation, not practical deployments)</li> <li>Fix arithmetic to work with curves that have (0, 0) on the curve</li> <li>Fix canonicalization of signatures when <code>s</code> is just slightly above half of curve order</li> </ul> <p>Maintenance:</p> <ul> <li> <p>Dropped official support for Python 3.5 (again, issues with CI, support for Python 2.6 and Python 2.7 is unchanged)</p> </li> <li> <p>Officialy support Python 3.12 and 3.13 (add them to CI)</p> </li> <li> <p>Removal of few more unnecessary <code>six.b</code> literals (Alexandre Detiste)</p> </li> <li> <p>Fix typos in warning messages</p> </li> <li> <p>Release 0.19.0 (08 Apr 2024)</p> </li> </ul> <p>New API:</p> <ul> <li><code>to_ssh</code> in <code>VerifyingKey</code> and <code>SigningKey</code>, supports Ed25519 keys only (Pablo Mazzini)</li> </ul> <p>New features:</p> <ul> <li>Support for twisted Brainpool curves</li> </ul> <p>Doc fix:</p> <ul> <li>Fix curve equation in glossary</li> <li>Documentation for signature encoding and signature decoding functions</li> </ul> <p>Maintenance:</p> <ul> <li>Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"><code>bd66899</code></a> Merge commit from fork</li> <li><a href="https://github.com/tlsfuzzer/python-ecdsa/commit/9c046ee7f61649a8a43d3f6f9c64f13e76e148db"><code>9c046ee</code></a> tests: reject truncated DER lengths</li> <li><a href="https://github.com/tlsfuzzer/python-ecdsa/commit/acc40fdaf7bb09aafc912a687ca6ed063ecaface"><code>acc40fd</code></a> der: reject truncated lengths in octet/implicit/constructed</li> <li><a href="https://github.com/tlsfuzzer/python-ecdsa/commit/55aca7830c41af8d6b66ce2ba71fb9aac35085ec"><code>55aca78</code></a> Merge pull request <a href="https://redirect.github.com/tlsfuzzer/python-ecdsa/issues/363">#363</a> from gstarovo/ubuntu20-deprecation</li> <li><a href="https://github.com/tlsfuzzer/python-ecdsa/commit/c4f0df174ad3ae75e59f4e9f47d4a912f5fe21cf"><code>c4f0df1</code></a> chore: change to ubuntu-22 since u-20 is deprecated</li> <li>See full diff in <a href="https://github.com/tlsfuzzer/python-ecdsa/compare/python-ecdsa-0.19.1...python-ecdsa-0.19.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ecdsa&package-manager=uv&previous-version=0.19.1&new-version=0.19.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/DataIntegrationGroup/OcotilloAPI/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… tag trigger) (#708) ### Why After merging staging → production, release-please opens its release PR and (on merge) creates the GitHub release + tag — but **CD (Production) never runs**. Root cause: release-please creates the release/tag with the default `GITHUB_TOKEN`. GitHub deliberately does **not** emit workflow-triggering events for actions taken with `GITHUB_TOKEN` (recursive-trigger protection). So the `release: published` event never reaches CD (Production), and nothing deploys. ### How Run the deploy as a job in the **same** workflow run as release-please, which sidesteps the cascade restriction — no PAT needed. - **CD_production.yml**: now a reusable workflow. - Add `workflow_call` trigger with a `tag_name` input. - Resolve the deploy tag via a job-level `DEPLOY_TAG = inputs.tag_name || github.event.release.tag_name`, used by the validate step, the `refs/tags/…` checkout, and `APP_VERSION`. - Keep the version-shape guard (`if:` + regex step). - Retain `release: published` as a fallback for releases published via the UI or a PAT. - **release-please.yml**: expose `release_created` / `tag_name` outputs and add a `deploy-production` job that `uses: ./.github/workflows/CD_production.yml` with `secrets: inherit`, gated on `release_created == 'true'`. ### Flow after this 1. Merge staging → production → release-please opens release PR. 2. Merge release PR → push to production → release-please creates release+tag **and** the `deploy-production` job deploys it in the same run. ### Notes - No double-deploy: when release-please makes the release (GITHUB_TOKEN), `release: published` does not fire; only the inline call deploys. A manual UI/PAT release fires the fallback path instead. - `production` environment protection rules still apply to the called job. - YAML validated locally. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f17d81c152

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-06-08T19:59:44Z

+async def upload_and_record_asset(
+    user: admin_dependency,
+    session: session_dependency,
+    bucket=Depends(get_storage_bucket),


Defer bucket lookup until after request validation

For requests that should be rejected locally (unsupported MIME type, oversized file, or nonexistent thing_id), FastAPI resolves this dependency before entering the handler, so get_storage_bucket() can still instantiate the GCS client and fail on missing credentials or a transient GCS setup issue before the code returns the intended 400/409. This makes invalid upload requests depend on external storage availability and contradicts the endpoint’s validation-before-upload behavior; look up the bucket only immediately before calling gcs_upload.

Useful? React with 👍 / 👎.

# Conflicts: # .github/workflows/CD_production.yml # .github/workflows/release-please.yml

Copilot

Pull request overview

This PR bumps the project to a new build/release baseline (“v1.1”) by updating dependencies and CI/CD automation, and adds an /asset/upload-and-record endpoint that uploads an asset to GCS and persists/link it in the DB with validation and best-effort cleanup.

Changes:

Add /asset/upload-and-record API endpoint with MIME/type + size validation, Thing existence check, deduping, and DB-failure cleanup behavior.
Extend services.gcs_helper.gcs_upload to return a created flag (blob newly written vs pre-existing) and update call sites/tests accordingly.
Update build/deploy tooling (uv flags, dependency groups, GitHub Actions versions) and adjust release automation to deploy inline from release-please.

Reviewed changes

Copilot reviewed 15 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
`api/asset.py`	Adds upload-and-record endpoint, validation constants, and uses new `gcs_upload` return signature.
`services/gcs_helper.py`	Returns `(uri, blob_name, created)` from `gcs_upload` to support safe-ish cleanup decisions.
`services/asset_helper.py`	Updates `gcs_upload` unpacking for new return signature.
`services/audit_helper.py`	Guards `audit_add` against non-dict auth dependency return values.
`tests/test_asset.py`	Updates `gcs_upload` tests and adds extensive coverage for upload-and-record happy/error/cleanup paths.
`tests/test_cli_commands.py`	Uses `tmp_path` instead of Click isolated filesystem for associate-assets CLI test.
`pyproject.toml`	Dependency bumps and moves dev tooling into the `dev` dependency group.
`docker/app/Dockerfile`	Uses `uv sync --no-dev` for production installs.
`.github/workflows/tests.yml`	Bumps `setup-uv` action version.
`.github/workflows/release-please.yml`	Upgrades release-please action and triggers production deploy via reusable workflow when a release is created.
`.github/workflows/CD_production.yml`	Converts production deploy to reusable workflow (`workflow_call`) + `release: published` fallback, and deploys checked-out tag.
`.github/workflows/CD_staging.yml`	Refactors/updates staging deploy workflow and runs `uv run --no-dev`.
`.github/workflows/CD_testing.yml`	Refactors/updates testing deploy workflow and runs `uv run --no-dev`.
`.github/workflows/pr-title-lint.yml`	Bumps semantic PR title lint action major version.
`.github/workflows/jira_codex_pr.yml`	Updates pinned `setup-uv` action revision.

+            if blob_created_by_request:
+                # Reference check is best-effort: if it raises, do NOT
+                # delete the blob (we cannot confirm it is unreferenced).
+                try:
+                    still_referenced = session.scalars(


…to-staging-v11 chore: merge production into staging (resolve v1.1 release conflicts)

jeremyzilar and others added 30 commits May 1, 2026 11:15

Formatting changes

e669892

Fall back to organization name in contact search results

a6b937b

Org-only contacts (no personal name) were returning a null label in search results. Use c.name or c.organization so those contacts appear with their organization name instead of a blank title.

Merge pull request #669 from DataIntegrationGroup/BDMS-786-Company-Co…

85e626e

…ntact-Names Fall back to organization name for org-only contacts in search

Merge pull request #668 from DataIntegrationGroup/BDMS-787-site_name-…

55f593c

…script BDMS-787 site_name script

feat(lexicon): add new organization terms

2be9fbd

Added Cerro MDWCA, White Oaks Pottery, and El Rito MDWCA sa organizations to support the well inventory ingestion on 2026-05-01.

Merge pull request #670 from DataIntegrationGroup/kas-add-new-organiz…

5f8ba47

…ations Add new organization terms for well inventory ingestion

docs(.env.example): Add required env

f1d07e3

docs(env.example): Add PYGEOAPI_POSTGRES_USER

95a28a5

Merge pull request #675 from DataIntegrationGroup/TAM-no-ticket-add-env

bf3e0eb

NO TICKET: Add new required env to .env.example

feat(lexicon): add new organization terms for Santa Ana Pueblo, Villa…

c6164bb

…ge of Hope, and WSP

Merge pull request #678 from DataIntegrationGroup/kas-lexicon-update-…

69fb435

…for-well-inventory-ingestion-20260526 feat(lexicon): add new organization terms in support of the 2026-05-26 well inventory ingestion

jirhiker and others added 13 commits June 8, 2026 10:54

Merge remote-tracking branch 'origin/production' into staging

d565dd0

# Conflicts: # .github/workflows/pr-title-lint.yml # .github/workflows/release-please.yml # pyproject.toml # requirements.txt # uv.lock

Merge pull request #699 from DataIntegrationGroup/merge/production-in…

f446557

…to-staging-3 chore: merge production into staging (real merge commit)

Merge pull request #700 from DataIntegrationGroup/ci/cd-production-on…

e063ed2

…-release-published ci: trigger CD (Production) on release publish

Copilot AI review requested due to automatic review settings June 8, 2026 19:55

Copilot started reviewing on behalf of jirhiker June 8, 2026 19:55 View session

chatgpt-codex-connector Bot reviewed Jun 8, 2026

View reviewed changes

Merge remote-tracking branch 'origin/production' into staging

2cf7c47

# Conflicts: # .github/workflows/CD_production.yml # .github/workflows/release-please.yml

Copilot AI reviewed Jun 8, 2026

View reviewed changes

Comment thread .github/workflows/CD_production.yml

Comment thread api/asset.py

Comment on lines +312 to +316

if blob_created_by_request:

# Reference check is best-effort: if it raises, do NOT

# delete the blob (we cannot confirm it is unreferenced).

try:

still_referenced = session.scalars(

jirhiker mentioned this pull request Jun 8, 2026

chore: merge production into staging (resolve v1.1 release conflicts) #710

Merged

Merge pull request #710 from DataIntegrationGroup/merge/production-in…

c9ebf89

…to-staging-v11 chore: merge production into staging (resolve v1.1 release conflicts)

jirhiker temporarily deployed to staging June 8, 2026 20:06 — with GitHub Actions Inactive

jirhiker merged commit c42d3f5 into production Jun 8, 2026
11 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build: v1.1#709

build: v1.1#709
jirhiker merged 45 commits into
productionfrom
staging

jirhiker commented Jun 8, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

chatgpt-codex-connector Bot Jun 8, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

jirhiker commented Jun 8, 2026

Why

How

Notes

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants