A few more small CI tweaks

.github/dependabot.yml

@@ -1,20 +1,35 @@
 # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
 
 version: 2
+
 updates:
   - package-ecosystem: "github-actions"
     # Workflow files in .github/workflows will be checked
     directory: "/"
-    schedule:
-      interval: "weekly"
-    labels: ["skip news", "C: dependencies"]
+    labels: ["ci: skip news", "C: dependencies", "C: maintenance"]
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    labels: ["ci: skip news", "C: dependencies"]
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    patterns: ["pypa/cibuildwheel"]
+    multi-ecosystem-group: "cibuildwheel"
     cooldown:
       default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
-    schedule:
-      interval: "weekly"
-    labels: ["skip news", "C: dependencies"]
+    patterns: ["cibuildwheel"]
+    multi-ecosystem-group: "cibuildwheel"
     cooldown:
       default-days: 7
+
+multi-ecosystem-groups:
+  cibuildwheel:
+    labels: ["ci: skip news", "C: dependencies"]

.github/workflows/changelog.yml

@@ -17,8 +17,9 @@ jobs:
           persist-credentials: false
 
       - name: Grep CHANGES.md for PR number
-        if: contains(github.event.pull_request.labels.*.name, 'skip news') != true
+        if: >
+          contains(github.event.pull_request.labels.*.name, 'ci: skip news') != true
         run: |
           grep -Pz "\((\n\s*)?#${{ github.event.pull_request.number }}(\n\s*)?\)" CHANGES.md || \
-          (echo "Please add '(#${{ github.event.pull_request.number }})' change line to CHANGES.md (or if appropriate, ask a maintainer to add the 'skip news' label)" && \
+          (echo "Please add '(#${{ github.event.pull_request.number }})' change line to CHANGES.md (or if appropriate, ask a maintainer to add the 'ci: skip news' label)" && \
           exit 1)

.github/workflows/fuzz.yml

@@ -2,39 +2,24 @@ name: fuzz
 
 on:
   push:
-    paths:
-      - tox.ini
-      - .github/workflows/fuzz.yml
-      - scripts/fuzz.py
-      - src/**
-      - tests/**
-      - pyproject.toml
-
+    branches: main
   pull_request:
     paths:
-      - tox.ini
       - .github/workflows/fuzz.yml
       - scripts/fuzz.py
-      - src/**
-      - tests/**
-      - pyproject.toml
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
   fuzz:
-    # We want to run on external PRs, but not on our own internal PRs as they'll be run
-    # by the push to the branch. Without this if check, checks are duplicated since
-    # internal PRs match both the push and pull_request events.
-    if:
-      github.event_name == 'push' || github.event.pull_request.head.repo.full_name !=
-      github.repository
-
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -55,4 +40,69 @@ jobs:
           pip-install: --group tox
 
       - name: Run fuzz tests
-        run: tox -e fuzz
+        id: fuzz
+        run: tox -e fuzz --result-json $python_ver
+        env:
+          python_ver: ${{ matrix.python-version }}
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: failure() && steps.fuzz.outcome == 'failure'
+        with:
+          name: ${{ matrix.python-version }}
+          path: ${{ matrix.python-version }}
+
+  create-issue:
+    runs-on: ubuntu-latest
+    needs: fuzz
+    if:
+      github.repository == 'psf/black' && github.event_name != 'pull_request' &&
+      failure()
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          merge-multiple: true
+          path: ./output
+
+      - name: Generate issue data
+        run: |
+          output=issue-body.html
+          touch $output
+          for FILE in ./output/*; do
+            echo "**Python $(basename $FILE)**" >> $output
+            echo -e "\`\`\`py" >> $output
+              echo -e "# stdout:" >> $output
+              echo -e "$(jq .testenvs.fuzz.test[-1].output $FILE -r)\n" >> $output
+              echo -e "# stderr:" >> $output
+              echo -e "$(jq .testenvs.fuzz.test[-1].err $FILE -r)" >> $output
+            echo -e "\`\`\`\n" >> $output
+          done
+
+      - name: Get existing issue
+        id: issue
+        run: |
+          echo "ISSUE=$( gh issue list \
+          -A github-actions[bot] -l 'ci: fuzz error' \
+          --json number -q .[0].number \
+          -R $REPO )" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+
+      - name: Create new issue
+        if: steps.issue.outputs.ISSUE == ''
+        run: >
+          gh issue create -t "Fuzz test failure" -F issue-body.html -l "ci: fuzz error"
+          -R $REPO
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+
+      - name: Edit existing issue
+        if: steps.issue.outputs.ISSUE != ''
+        run: gh issue edit $ISSUE -F issue-body.html -R $REPO
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          ISSUE: ${{ steps.issue.outputs.ISSUE }}

.github/workflows/post_release.yml

@@ -0,0 +1,65 @@
+name: post release
+
+on:
+  release:
+    types: published
+
+permissions: {}
+
+jobs:
+  update-stable:
+    runs-on: ubuntu-latest
+    if: github.event.release.prerelease != 'true'
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout stable branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: stable
+          fetch-depth: 0
+          persist-credentials: true # needed for `git push` below
+
+      - name: Update stable branch to release tag & push
+        run: |
+          git reset --hard "${TAG_NAME}"
+          git push
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
+
+  new-changelog:
+    runs-on: ubuntu-latest
+    if: github.event.release.prerelease != 'true'
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+          fetch-tags: true
+          persist-credentials: true # Needed for git-auto-commit-action
+
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: "3.13"
+          pip-version: "25.3"
+
+      - run: python scripts/release.py -a
+
+      - uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
+        with:
+          commit_message: Add new changelog
+          branch: ci/new-changelog
+          create_branch: true
+
+      - name: Create PR
+        run: |
+          gh pr create \
+            -t "Add new changelog" -b "" \
+            -l "ci: skip news" -l "C: maintanance" \
+            -a $USER
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          USER: ${{ github.event.release.author.login }}

.github/workflows/pypi_upload.yml

@@ -2,11 +2,10 @@ name: build and publish
 
 on:
   release:
-    types: [published]
+    types: published
   pull_request:
   push:
-    branches:
-      - main
+    branches: main
 
 permissions: {}
 
@@ -154,26 +153,3 @@ jobs:
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           verbose: true
-
-  update-stable:
-    name: update stable branch
-    needs: [publish-mypyc, publish-hatch]
-    runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.release.prerelease != 'true'
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout stable branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: stable
-          fetch-depth: 0
-          persist-credentials: true # needed for `git push` below
-
-      - name: Update stable branch to release tag & push
-        run: |
-          git reset --hard "${TAG_NAME}"
-          git push
-        env:
-          TAG_NAME: ${{ github.event.release.tag_name }}

.pre-commit-config.yaml

@@ -10,18 +10,18 @@ repos:
         entry: python -m scripts.check_pre_commit_rev_in_example
         files: '(CHANGES\.md|source_version_control\.md)$'
         additional_dependencies:
-          - beautifulsoup4>=4.14.2
-          - commonmark==0.9.1
-          - pyyaml==6.0.1
+          - beautifulsoup4~=4.14
+          - commonmark~=0.9.1
+          - pyyaml~=6.0.1
 
       - id: check-version-in-the-basics-example
         name: Check black version in the basics example
         language: python
         entry: python -m scripts.check_version_in_basics_example
         files: '(CHANGES\.md|the_basics\.md)$'
         additional_dependencies:
-          - beautifulsoup4>=4.14.2
-          - commonmark==0.9.1
+          - beautifulsoup4~=4.14
+          - commonmark~=0.9.1
 
   - repo: https://github.com/pycqa/isort
     rev: 7.0.0
@@ -33,7 +33,7 @@ repos:
     hooks:
       - id: flake8
         additional_dependencies:
-          - flake8-bugbear==24.2.6
+          - flake8-bugbear
           - flake8-comprehensions
           - flake8-simplify
         exclude: ^src/blib2to3/
@@ -47,30 +47,30 @@ repos:
         additional_dependencies:
           # Click is intentionally out-of-sync with pyproject.toml
           # v8.2 has breaking changes. We work around them at runtime, but we need the newer stubs.
-          - click>=8.2.0
+          - click~=8.2
           - packaging>=22.0
           - platformdirs>=2
-          - pytokens>=0.3.0
-          - tomli>=1.1.0,<2.0.0
+          - pytokens~=0.4.0
+          - tomli>=1.1.0
 
           # blackd
-          - aiohttp>=3.10
+          - aiohttp~=3.10
 
           # tests
-          - pytest>=7
+          - pytest==9.0.2
 
           # fuzz
-          - hypothesis
-          - hypothesmith
-          - types-atheris
+          - hypothesis~=6.138
+          - hypothesmith==0.3.3
+          - types-atheris~=3.0.0
 
           # diff-shades
-          - urllib3
+          - urllib3~=2.3
 
           # version check
           - beautifulsoup4>=4.14.2
-          - types-commonmark
-          - types-pyyaml
+          - types-commonmark~=0.9.0
+          - types-pyyaml~=6.0.0
 
   - repo: https://github.com/rbubley/mirrors-prettier
     rev: v3.8.0
@@ -83,6 +83,3 @@ repos:
     hooks:
       - id: end-of-file-fixer
       - id: trailing-whitespace
-
-ci:
-  autoupdate_schedule: weekly

docs/contributing/issue_triage.md

@@ -88,15 +88,15 @@ We also have a few standalone labels:
   banners for first-time visitors to the repository)
 - **`help wanted`**: complex issues that need and are looking for a fair bit of work as
   to progress (will also show up in various GitHub pages)
-- **`skip news`**: for PRs that are trivial and don't need a CHANGELOG entry (and skips
-  the CHANGELOG entry check)
+- **`ci: skip news`**: for PRs that are trivial and don't need a CHANGELOG entry (and
+  skips the CHANGELOG entry check)
 - **`ci: build all wheels`**: when a full wheel build is needed, such as to debug
   platform-specific issues. Black does not build wheels for every platform on each pull
   request because the full build matrix is expensive. After the label is added, the
   workflow starts only when a new commit is pushed.
 
 ```{note}
-We do use labels for PRs, in particular the `skip news` label, but we aren't that
+We do use labels for PRs, in particular the `ci: skip news` label, but we aren't that
 rigorous about it. Just follow your judgement on what labels make sense for the specific
 PR (if any even make sense).
 ```