Include GitHub Release

.github/workflows/release.yml

@@ -11,12 +11,27 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: write
+
 jobs:
+  tag:
+    name: Create Git Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Create Git Tag
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor }}@users.noreply.github.com"
+          git tag -a ${{ github.event.inputs.tag }} -m "Release ${{ github.event.inputs.tag }}"
+          git push origin ${{ github.event.inputs.tag }}
+
   build:
-    #needs: tagging
+    needs: tag
     runs-on: ubuntu-latest
-    permissions:
-      contents: write  # Permission to write to repository contents (for creating releases)
     steps:
       # Step 1: Checkout the repository code
       - name: Checkout ${{ github.repository }}
@@ -35,9 +50,39 @@ jobs:
           name: dist  # This must match the name used in download step
           path: dist/
 
+  release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - tag
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download dist artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      - name: Create GitHub Release with artifacts
+        uses: softprops/[email protected]
+        with:
+          tag_name: ${{ github.event.inputs.tag }}
+          name: ${{ github.event.inputs.tag }}
+          generate_release_notes: true
+          files: dist/*
+
+
   # Job to publish the built package to PyPI
   publish:
-    needs: build  # This job depends on the tag job
+    needs:
+      - build
+      - tag  # This job depends on the tag job
     runs-on: ubuntu-latest
     environment: release  # Use the release environment
 

.github/workflows/test.yml

@@ -6,6 +6,8 @@ on:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read  # Permission to read repository contents
     steps:
       - uses: actions/checkout@v4
 
@@ -33,6 +35,10 @@ jobs:
     # The type of runner that the job will run on
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read  # Permission to read repository contents
+      security-events: write  # Permission to write security events (for SonarQube)
+
     strategy:
       matrix:
         os: [ ubuntu-latest, windows-latest, macos-latest ]
@@ -59,4 +65,4 @@ jobs:
         uses: sonarsource/sonarcloud-github-action@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.pre-commit-config.yaml

@@ -7,7 +7,6 @@ repos:
         args:
           - --markdown-linebreak-ext=md
       - id: check-merge-conflict
-      - id: check-json
       - id: check-yaml
 
   - repo: https://github.com/astral-sh/ruff-pre-commit