Add workflows

Author: AA-Turner

.github/workflows/builddoc.yml

@@ -0,0 +1,46 @@
+name: Render documentation
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: "1"
+  UV_SYSTEM_PYTHON: "1"  # make uv do global installs
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3"
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        version: latest
+        enable-cache: false
+    - name: Install dependencies
+      run: uv pip install . --group docs
+    - name: Render the documentation
+      run: >
+        python -m sphinx
+        build -M html
+        ./docs/source
+        ./docs/build
+        --jobs=auto
+        --show-traceback
+        --fail-on-warning

.github/workflows/create-release.yml

@@ -0,0 +1,117 @@
+name: Create release
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: "1"
+  UV_SYSTEM_PYTHON: "1"  # make uv do global installs
+
+jobs:
+  publish-pypi:
+    runs-on: ubuntu-latest
+    name: PyPI Release
+    environment: release
+    if: github.repository_owner == 'sphinx-doc'
+    permissions:
+      attestations: write  # for actions/attest
+      id-token: write  # for actions/attest & PyPI trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: latest
+          enable-cache: false
+
+      - name: Install build dependencies (pypa/build, twine)
+        run: uv pip install --group package
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Check distribution
+        run: twine check dist/*
+
+      - name: Create Sigstore attestations for built distributions
+        uses: actions/attest@v1
+        id: attest
+        with:
+          subject-path: "dist/*"
+          predicate-type: "https://docs.pypi.org/attestations/publish/v1"
+          predicate: "null"
+          show-summary: "true"
+
+      - name: Convert attestations to PEP 740
+        run: >
+          python utils/convert_attestations.py
+          "$BUNDLE_PATH"
+          "$SIGNER_IDENTITY"
+        env:
+          BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
+          # workflow_ref example: sphinx-doc/sphinxext-opengraph/.github/workflows/create-release.yml@refs/heads/master
+          # this forms the "signer identity" for the attestations
+          SIGNER_IDENTITY: "https://github.com/${{ github.workflow_ref }}"
+
+      - name: Inspect PEP 740 attestations
+        run: pypi-attestations inspect dist/*.publish.attestation
+
+      - name: Prepare attestation bundles for uploading
+        run: |
+          mkdir -p /tmp/attestation-bundles
+          cp "$BUNDLE_PATH" /tmp/attestation-bundles/
+          cp dist/*.publish.attestation /tmp/attestation-bundles/
+        env:
+          BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
+
+      - name: Upload attestation bundles
+        uses: actions/upload-artifact@v4
+        with:
+          name: attestation-bundles
+          path: /tmp/attestation-bundles/
+
+      - name: Upload to PyPI
+        env:
+          TWINE_NON_INTERACTIVE: "true"
+        run: |
+          twine upload dist/* --attestations --verbose
+
+  github-release:
+    runs-on: ubuntu-latest
+    name: GitHub release
+    environment: release
+    if: github.repository_owner == 'sphinx-doc'
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Get release version
+        id: get_version
+        uses: actions/github-script@v7
+        with:
+          script: core.setOutput('version', context.ref.replace("refs/tags/v", ""))
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          name: "sphinxext-opengraph ${{ steps.get_version.outputs.version }}"
+          body: ""

.github/workflows/lint.yml

@@ -1,4 +1,4 @@
-name: Lint source code
+name: Lint
 
 on:
   push:
@@ -29,10 +29,32 @@ jobs:
       uses: astral-sh/ruff-action@v3
       with:
         args: --version
-        version: 0.9.2
 
     - name: Lint with Ruff
       run: ruff check --output-format=github
 
     - name: Format with Ruff
       run: ruff format --diff
+
+  twine:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3"
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        version: latest
+        enable-cache: false
+    - name: Install dependencies
+      run: uv pip install --group package
+    - name: Lint with twine
+      run: |
+        python -m build .
+        twine check dist/*

.github/workflows/lock.yml

@@ -0,0 +1,60 @@
+name: Lock old threads
+
+on:
+  schedule:
+    # Run at midnight daily
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  action:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'sphinx-doc'
+    permissions:
+      # to lock issues and PRs
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/github-script@v7
+      with:
+        retries: 3
+        # language=JavaScript
+        script: |
+          const _FOUR_WEEKS_MILLISECONDS = 28 * 24 * 60 * 60 * 1000;
+          const _FOUR_WEEKS_DATE = new Date(Date.now() - _FOUR_WEEKS_MILLISECONDS);
+          const FOUR_WEEKS_AGO = `${_FOUR_WEEKS_DATE.toISOString().substring(0, 10)}T00:00:00Z`;
+          const OWNER = context.repo.owner;
+          const REPO = context.repo.repo;
+
+          try {
+            for (const thread_type of ["issue", "pr"]) {
+              core.debug(`Finding ${thread_type}s to lock`);
+              const query = thread_type === "issue"
+                ? `repo:${OWNER}/${REPO} updated:<${FOUR_WEEKS_AGO} is:closed is:unlocked is:issue`
+                : `repo:${OWNER}/${REPO} updated:<${FOUR_WEEKS_AGO} is:closed is:unlocked is:pr`;
+              core.debug(`Using query '${query}'`);
+              // https://octokit.github.io/rest.js/v21/#search-issues-and-pull-requests
+              const {data: {items: results}} = await github.rest.search.issuesAndPullRequests({
+                q: query,
+                order: "desc",
+                sort: "updated",
+                per_page: 100,
+              });
+              for (const item of results) {
+                if (item.locked) continue;
+                const thread_num = item.number;
+                core.debug(`Locking #${thread_num} (${thread_type})`);
+                // https://octokit.github.io/rest.js/v21/#issues-lock
+                await github.rest.issues.lock({
+                  owner: OWNER,
+                  repo: REPO,
+                  issue_number: thread_num,
+                  lock_reason: "resolved",
+                });
+              }
+            }
+          } catch (err) {
+            core.setFailed(err.message);
+          }

.github/workflows/test.yml

@@ -0,0 +1,88 @@
+name: Tests
+
+on:
+  push:
+    paths:
+      - ".github/workflows/test.yml"
+      - "sphinxext/**"
+      - "tests/**"
+  pull_request:
+    paths:
+      - ".github/workflows/test.yml"
+      - "sphinxext/**"
+      - "tests/**"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: "1"
+  PYTHONDEVMODE: "1"  # -X dev
+  PYTHONWARNDEFAULTENCODING: "1"  # -X warn_default_encoding
+  UV_SYSTEM_PYTHON: "1"  # make uv do global installs
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    name: ${{ matrix.os }} (Python ${{ matrix.python }}; Sphinx ${{ matrix.sphinx-version }})
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - "ubuntu-latest"
+        python:
+        - "3.9"
+        - "3.10"
+        - "3.11"
+        - "3.12"
+        - "3.13"
+        - "3.13t"
+        sphinx-version:
+        - "6"
+        - "7"
+        - "8"
+        exclude:
+        - python: "3.9"
+          sphinx-version: "8"
+        include:
+        - python: "3.13"
+          sphinx-version: "8"
+          os: "windows-latest"
+        - python: "3.13"
+          sphinx-version: "8"
+          os: "macos-latest"
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Set up Python ${{ matrix.python }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python }}
+    - name: Check Python version
+      run: python --version --version
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        version: latest
+        enable-cache: false
+    - name: Install dependencies
+      run: uv pip install . --group test
+    - name: Install Sphinx ${{ matrix.sphinx-version }}
+      run: uv pip install --upgrade "Sphinx~=${{ matrix.sphinx-version }}.0"
+    - name: Test with pytest
+      run: python -m pytest -vv
+      env:
+        PYTHONWARNINGS: "error"  # treat all warnings as errors
+    - name: Install social-cards extra
+      run: uv pip install .[social-cards]
+    - name: Test with pytest (social-cards)
+      run: python -m pytest -vv
+      env:
+        PYTHONWARNINGS: "error"  # treat all warnings as errors