ceccopierangiolieugenio · ceccopierangiolieugenio · May 30, 2026 · May 30, 2026 · May 30, 2026 · May 30, 2026
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,9 @@
+name: "pyTermTk CodeQL config"
+
+# Keep analysis focused on source code and avoid generated artifacts.
+paths-ignore:
+  - build/**
+  - tmp/**
+  - '**/*.egg-info/**'
+  - '**/__pycache__/**'
+  - docs/source/_build/**
diff --git a/.github/workflows/_scratchpad.yml b/.github/workflows/_scratchpad.yml
@@ -25,6 +25,6 @@ jobs:
           GHE: ${{ toJson(github.event) }}
           GHEH: ${{ toJson(github.event.head_commit) }}
           GHEHM: ${{ toJson(github.event.head_commit.modified) }}
-      # - uses: actions/checkout@v4
+      # - uses: actions/checkout@v6
       #   with:
       #     ref: ${{ github.sha }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -11,6 +11,10 @@
 #
 name: "CodeQL Advanced"
 
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches: [ "main" ]
@@ -59,7 +63,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -73,6 +77,8 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
+        queries: security-extended,security-and-quality
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.

diff --git a/.github/workflows/itch-publish.yml b/.github/workflows/itch-publish.yml
@@ -23,7 +23,7 @@ jobs:
     runs-on: self-hosted
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install Butler
         shell: bash
         run: |

diff --git a/.github/workflows/notify-social.yml b/.github/workflows/notify-social.yml
@@ -1,7 +1,8 @@
-name: Release Sandbox
+name: Notify Social
 
 permissions:
   contents: read
+  actions: read
 
 on:
   workflow_dispatch:
@@ -10,75 +11,140 @@ on:
         description: The changed app
         type: string
         default: pyTermTk
-      version:
-        description: The app version
+      run_id:
+        description: Workflow run ID to download artifacts from
         type: string
-        default: v0.0.0
-      discord-message:
-        description: The release message
-        type: string
-        default: pyTermTk released
-      github-discussion-message:
-        description: The release message
-        type: string
-        default: pyTermTk released
+        required: true
+      notify_discord:
+        description: Notify on Discord
+        type: boolean
+        default: false
+      notify_github_discussion:
+        description: Notify on GitHub Discussion
+        type: boolean
+        default: false
+      notify_bluesky:
+        description: Notify on Bluesky
+        type: boolean
+        default: false
+      notify_twitter:
+        description: Notify on Twitter
+        type: boolean
+        default: false
   workflow_call:
     inputs:
       app:
         description: The changed app
         type: string
         default: pyTermTk
-      version:
-        description: The app version
-        type: string
-        default: v0.0.0
-      discord-message:
-        description: The release message
+      run_id:
+        description: Workflow run ID to download artifacts from
         type: string
-        default: pyTermTk released
-      github-discussion-message:
-        description: The release message
-        type: string
-        default: pyTermTk released
+        required: true
+      notify_discord:
+        description: Notify on Discord
+        type: boolean
+        default: false
+      notify_github_discussion:
+        description: Notify on GitHub Discussion
+        type: boolean
+        default: false
+      notify_bluesky:
+        description: Notify on Bluesky
+        type: boolean
+        default: false
+      notify_twitter:
+        description: Notify on Twitter
+        type: boolean
+        default: false
 
 jobs:
-  notify-discord:
-    name: Notify Discord
+  notify:
+    name: Notify ${{ inputs.app }} to the socials
+    continue-on-error: true
     runs-on: self-hosted
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        shell: bash
+        run:
+          pip install -e 'tools/ci[social]'
+
+      - uses: actions/download-artifact@v8
         with:
-          python-version: "3.x"
-      - name: Instrall deps
+          name: release-metadata.json
+          run-id: ${{ inputs.run_id }}
+
+      - name: Extract ${{ inputs.app }} params
+        id: app-params
         run: |
-          python -m pip install discord.py
-      - name: Deploy Discord message
+          echo "params<<_EOF" >> $GITHUB_OUTPUT
+            release-helper \
+              --config .release-please-config.json \
+              --manifest .release-please-manifest.json \
+              --release release-metadata.json \
+              --app-filter ${{ inputs.app }} \
+              matrix all >> $GITHUB_OUTPUT
+          echo "_EOF" >> $GITHUB_OUTPUT
+
+      - name: Validate extracted params
+        shell: bash
+        run: |
+          PARAMS='${{ steps.app-params.outputs.params }}'
+          if [[ -z "$PARAMS" || "$PARAMS" == "{}" ]]; then
+            echo "No release metadata found for app=${{ inputs.app }} in run_id=${{ inputs.run_id }}"
+            exit 1
+          fi
+          _NAME="$(jq -r '.name // empty' <<< "$PARAMS")"
+          _VERSION="$(jq -r '.version // empty' <<< "$PARAMS")"
+          if [[ -z "$_NAME" || -z "$_VERSION" ]]; then
+            echo "Invalid params payload: $PARAMS"
+            exit 1
+          fi
+
+      - name: Notify ${{ fromJson(steps.app-params.outputs.params).name }} on Discord
+        if: ${{ inputs.notify_discord }}
+        continue-on-error: true
         env:
-          MESSAGE: ${{ inputs.discord-message }}
+          RN: ${{ fromJson(steps.app-params.outputs.params).release_notes }}
+          MESSAGE: ${{ fromJson(steps.app-params.outputs.params).release_notes }}
           DISCORD_TOKEN: ${{ secrets.DISCORD_TOKEN }}
         run: |
-          python tools/ci/social/notify_discord.py ${{ inputs.app }} ${{ inputs.version }}
+          notify-discord ${{ fromJson(steps.app-params.outputs.params).name }} ${{ fromJson(steps.app-params.outputs.params).version }}
 
-  notify-github-discussion:
-    name: Notify Github Discussion
-    runs-on: self-hosted
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.sha }}
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.x"
-      - name: Deploy Github Discussion
+      - name: Notify ${{ fromJson(steps.app-params.outputs.params).name }} on Github Discussion
+        if: ${{ inputs.notify_github_discussion }}
+        continue-on-error: true
         env:
-          DISCUSSION_BODY: ${{ inputs.github-discussion-message}}
-          GH_DISCUSSION_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
+          RN: ${{ fromJson(steps.app-params.outputs.params).release_notes }}
+          MESSAGE: ${{ fromJson(steps.app-params.outputs.params).release_notes }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
+          GH_DISCUSSION_TOKEN: ${{ secrets.GH_DISCUSSION_TOKEN }}
         run: |
-          export DISCUSSION_TITLE="${{ inputs.app }} ${{ inputs.version }} Released!!!"
-          python tools/ci/social/notify_github_discussion.py ${{ inputs.app }} ${{ inputs.version }}
+          notify-gh-discussion ${{ fromJson(steps.app-params.outputs.params).name }} ${{ fromJson(steps.app-params.outputs.params).version }}
 
+      - name: Notify ${{ fromJson(steps.app-params.outputs.params).name }} on Bluesky
+        if: ${{ inputs.notify_bluesky }}
+        continue-on-error: true
+        env:
+          BLUESKY_APP_PWD: ${{ secrets.BLUESKY_APP_PWD }}
+          BLUESKY_APP_IDENTIFIER: ${{ secrets.BLUESKY_APP_IDENTIFIER }}
+        run: |
+          notify-bluesky ${{ fromJson(steps.app-params.outputs.params).name }} ${{ fromJson(steps.app-params.outputs.params).version }}
 
+      - name: Notify ${{ fromJson(steps.app-params.outputs.params).name }} on Twitter
+        if: ${{ inputs.notify_twitter }}
+        continue-on-error: true
+        env:
+          X_API_KEY: ${{ secrets.X_API_KEY }}
+          X_API_SECRET: ${{ secrets.X_API_SECRET }}
+          X_ACCESS_TOKEN: ${{ secrets.X_ACCESS_TOKEN }}
+          X_ACCESS_TOKEN_SECRET: ${{ secrets.X_ACCESS_TOKEN_SECRET }}
+        run: |
+          notify-twitter ${{ fromJson(steps.app-params.outputs.params).name }} ${{ fromJson(steps.app-params.outputs.params).version }}
 
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -45,8 +45,8 @@ jobs:
         working-directory: ${{ inputs.pkg_folder }}
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
       - name: Build release distributions
@@ -60,7 +60,7 @@ jobs:
             python -m build
           echo '::endgroup::'
       - name: Upload distributions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: release-dist-${{ inputs.pkg_name }}
           path: ${{ inputs.pkg_folder }}/dist/
@@ -74,7 +74,7 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
       - name: Retrieve release distributions

diff --git a/.github/workflows/release-doc.yml b/.github/workflows/release-doc.yml
@@ -28,7 +28,7 @@ jobs:
     runs-on: self-hosted
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
       - name: Gen Docs

diff --git a/.github/workflows/release-sandbox-bin.yml b/.github/workflows/release-sandbox-bin.yml
@@ -28,7 +28,7 @@ jobs:
     runs-on: self-hosted
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
 

diff --git a/.github/workflows/release-sandbox.yml b/.github/workflows/release-sandbox.yml
@@ -28,7 +28,7 @@ jobs:
     runs-on: self-hosted
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}