Upstream fragility and narrow dependency

[whisper67265]

Close #130, close #132.

Summary by CodeRabbit

• New Features
  • Added a Weblate pin-bump pre-check that validates required internal API contracts against the latest upstream release before updating the dependency pin.
• Bug Fixes
  • Improved release automation to detect the pinned Weblate version across more pyproject.toml Weblate dependency formats.
  • Enhanced pin-sync/release reporting to use the Weblate[postgres]==<version> pin format.
• Tests
  • Added Weblate internal contract tests to guard relied-upon behaviors.
• Chores
  • Switched runtime Weblate extras from Weblate[all] to Weblate[postgres] and updated related docs/changelog/workflows accordingly.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR switches the Weblate pin to Weblate[postgres], broadens pin parsing and rewrite logic, adds a latest-release contract check script and workflow gate, and adds pytest contract tests plus marker configuration.

Changes

Weblate pin handling and release parsing

Layer / File(s)	Summary
Pin parsing and rewrite updates pyproject.toml, .github/workflows/release.yml, scripts/bump-weblate-version.sh, scripts/check-weblate-pin-sync.sh, scripts/weblate-version-map.sh	Weblate[all] is replaced with Weblate[postgres], and the release, bump, sync, and version-map logic now accepts general Weblate...==... pins; the changelog records the dependency change.
Contract tests and marker wiring pyproject.toml, tests/test_weblate_internal_contract.py	Pytest adds the weblate_contract marker and excludes it by default, while the new test module checks Weblate formats parsing, plugin formats output, and URL routing layout.
Contract check workflow and script scripts/check-weblate-internal-contract.sh, .github/workflows/weblate-pin-bump.yml, .github/WORKFLOWS.md	A new script resolves and installs the latest PyPI Weblate release, runs the contract tests, and the pin-bump workflow waits on that job before committing the bump; the workflow table entry is updated.
Docs and changelog updates CHANGELOG.md, README.md, .github/dependabot.yml, docs/deployment-runbook.md, .github/WORKFLOWS.md	Docs and changelog entries update the Weblate pin examples and related wording to Weblate[postgres].

Sequence Diagram(s)

sequenceDiagram
  participant W as .github/workflows/weblate-pin-bump.yml
  participant S as scripts/check-weblate-internal-contract.sh
  participant U as uv
  participant P as PyPI
  participant Py as pytest
  participant T as tests/test_weblate_internal_contract.py

  W->>S: start contract-latest with --latest
  S->>U: query PyPI JSON for latest Weblate release
  U->>P: fetch release list
  S->>U: install Weblate[postgres]==<latest>
  S->>Py: run pytest -m weblate_contract
  Py->>T: execute contract tests
  Py-->>S: exit status
  S-->>W: pass or fail

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Dependency surface reduction #132: Directly matches the Weblate dependency-surface reduction and generalized pin parsing changes in this PR.

Possibly related PRs

• cppalliance/cppa-weblate-plugin#89: Touches the same Weblate pin-bump tooling and version-map logic that this PR updates.
• cppalliance/cppa-weblate-plugin#88: Updates .github/workflows/release.yml Weblate pin parsing, which is also changed here.

Suggested reviewers

• henry0816191
• wpak-ai

Poem

A rabbit hopped through pins and tests,
and sniffed out Weblate’s freshest zest.
With postgres crumbs and contract cheer,
the workflow thumped, “all clear, all clear!” 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is broad, but it still reflects the PR’s focus on upstream breakage and narrowing the Weblate dependency.
Linked Issues check	✅ Passed	The new contract job, --latest support, and pytest marker exclusions match the acceptance criteria for issue #130.
Out of Scope Changes check	✅ Passed	The documentation, changelog, and workflow updates all support the Weblate pin-bump and contract-check changes, with no clear unrelated additions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

scripts/check-weblate-internal-contract.sh (1)

59-60: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add a timeout to the PyPI request.

urllib.request.urlopen without a timeout can hang indefinitely if PyPI is unresponsive, stalling the workflow until the job-level timeout. Pass an explicit timeout.

🔧 Proposed fix

-with urllib.request.urlopen("https://pypi.org/pypi/Weblate/json") as resp:
+with urllib.request.urlopen("https://pypi.org/pypi/Weblate/json", timeout=30) as resp:
     data = json.load(resp)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check-weblate-internal-contract.sh` around lines 59 - 60, The PyPI
fetch in check-weblate-internal-contract.sh can hang indefinitely because
urllib.request.urlopen is called without a timeout. Update the request in the
Weblate JSON loading block to pass an explicit timeout value through urlopen so
the workflow fails fast if PyPI is unresponsive. Keep the change localized to
the urllib.request.urlopen/json.load flow used for the Weblate package lookup.

tests/test_weblate_internal_contract.py (1)

60-71: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Reorder the tuple-type check before the emptiness check.

if not formats would also be True if formats is None or a non-tuple falsy value, surfacing the "empty tuple" message for a type-contract break. Checking isinstance(..., tuple) first yields a clearer diagnostic for the actual contract violation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_weblate_internal_contract.py` around lines 60 - 71, The contract
check in weblate_formats_with_plugin_formats() is validating tuple emptiness
before confirming the value is actually a tuple, which can mask type-contract
failures with an “empty tuple” message. In the test_weblate_internal_contract
assertion block, move the isinstance(formats, tuple) check ahead of the if not
formats check so non-tuple or None values fail with the correct type diagnostic
first, then keep the empty-tuple assertion afterward.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/WORKFLOWS.md:
- Line 25: The “Weblate version pinning” table still shows the wrong example
package pin; update the `pyproject.toml` example entry to match the current pin
used by the repo. Locate the table row in `.github/WORKFLOWS.md` and change the
`Weblate[all]==2026.5` example to `Weblate[postgres]==2026.5` so the documented
example aligns with the actual pin.

---

Nitpick comments:
In `@scripts/check-weblate-internal-contract.sh`:
- Around line 59-60: The PyPI fetch in check-weblate-internal-contract.sh can
hang indefinitely because urllib.request.urlopen is called without a timeout.
Update the request in the Weblate JSON loading block to pass an explicit timeout
value through urlopen so the workflow fails fast if PyPI is unresponsive. Keep
the change localized to the urllib.request.urlopen/json.load flow used for the
Weblate package lookup.

In `@tests/test_weblate_internal_contract.py`:
- Around line 60-71: The contract check in weblate_formats_with_plugin_formats()
is validating tuple emptiness before confirming the value is actually a tuple,
which can mask type-contract failures with an “empty tuple” message. In the
test_weblate_internal_contract assertion block, move the isinstance(formats,
tuple) check ahead of the if not formats check so non-tuple or None values fail
with the correct type diagnostic first, then keep the empty-tuple assertion
afterward.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9d38824-b113-46ec-978a-27ef438dc80f

📥 Commits

Reviewing files that changed from the base of the PR and between 07ca2ca and f298036.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .github/WORKFLOWS.md
• .github/workflows/release.yml
• .github/workflows/weblate-pin-bump.yml
• CHANGELOG.md
• pyproject.toml
• scripts/bump-weblate-version.sh
• scripts/check-weblate-internal-contract.sh
• scripts/check-weblate-pin-sync.sh
• scripts/weblate-version-map.sh
• tests/test_weblate_internal_contract.py

[henry0816191]

There are still some mentions on Weblate[all] in some place of this project such as README.md — CI jobs table — line ~293. Please check whole project again

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/bump-weblate-version.sh (1)

70-92: 🎯 Functional Correctness | 🔴 Critical

Pass releases into the Python snippet before the heredoc. The trailing <<<"$releases" is a standalone redirection, so the Python process sees EOF on sys.stdin and releases is always empty. That breaks both forced-version validation and normal candidate selection.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/bump-weblate-version.sh` around lines 70 - 92, The version selection
logic in the bump-weblate-version.sh Python snippet is reading from sys.stdin,
but the current here-string redirection is detached from the heredoc so the
snippet always sees an empty releases list. Fix the uv run invocation by
ensuring the releases variable is passed into the Python process before the
heredoc in the same command, and verify the force-path validation and candidate
selection in the embedded Python block still use the releases input correctly.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@scripts/bump-weblate-version.sh`:
- Around line 70-92: The version selection logic in the bump-weblate-version.sh
Python snippet is reading from sys.stdin, but the current here-string
redirection is detached from the heredoc so the snippet always sees an empty
releases list. Fix the uv run invocation by ensuring the releases variable is
passed into the Python process before the heredoc in the same command, and
verify the force-path validation and candidate selection in the embedded Python
block still use the releases input correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 914da5e3-38af-469f-9c15-7bdce260cc39

📥 Commits

Reviewing files that changed from the base of the PR and between 4769698 and 074864c.

📒 Files selected for processing (7)

• .github/dependabot.yml
• CHANGELOG.md
• README.md
• docs/deployment-runbook.md
• scripts/bump-weblate-version.sh
• scripts/check-weblate-internal-contract.sh
• scripts/weblate-version-map.sh

✅ Files skipped from review due to trivial changes (3)

• docs/deployment-runbook.md
• CHANGELOG.md
• .github/dependabot.yml