Comparing changes

The release script was leaving behind remote release-<version> branches after successful releases. Now deletes the remote branch after pushing the tag successfully.

The release script now automatically creates a GitHub release after pushing the tag. Extracts release notes from the changelog and uses gh CLI to create the release. If the release process fails after creating the GitHub release, it's cleaned up automatically.

CodeQL flagged GitHub Actions workflows for missing explicit permission declarations. 🔒 Without these declarations, workflows inherit potentially broad default permissions, violating the principle of least privilege and increasing security risk if workflow files are compromised. Added `permissions: contents: read` at the workflow level for `check.yaml`, `weekly.yaml`, and `release.yaml`. This grants only the minimal permission needed to checkout code and run CI checks. The `release` job already has its own `id-token: write` permission for PyPI publishing, which overrides the workflow-level setting for that specific job. This change resolves all four CodeQL medium-severity alerts without affecting workflow functionality. The workflows continue to operate as before, now with proper security boundaries in place.

Fixes: #3707

#3705) Running `tox --help` shows all CLI flags including env-specific ones like `--hashseed` even for commands that don't support them. This creates confusion when users try flags that silently do nothing. 🎯 Additionally, Unix users expect a man page for CLI tools (`man tox`), but tox only provided `--help`. The parser now supports composable argument inheritance via an `inherit` parameter on `add_command()`. Subcommands declare which argument groups they need using `frozenset({CORE})` for basic flags like `--verbose` and `--conf`, or `frozenset({CORE, ENV})` for commands that also need env flags like `--hashseed`. Commands that need neither (like `quickstart`) use `frozenset({CORE})` to get minimal flags. This makes the CLI cleaner and more discoverable. The man page is generated from RST via `sphinx-argparse-cli` and installed as wheel shared-data to `share/man/man1/tox.1`. Running `tox man` helps users set up the symlink and MANPATH. 📚 The type checker also now properly handles `virtualenv.VersionInfo` to `tox.VersionInfo` conversion to fix compatibility issues with the latest virtualenv releases. Signed-off-by: Bernát Gábor <[email protected]>

Added a new "Logging" section under "Developing your own plugin" Fixes: #3449  - [x] ran the linter to address style issues (`tox -e fix`) - [x] wrote descriptive pull request text - [x] ensured there are test(s) validating the fix - [x] added news fragment in `docs/changelog` folder - [x] updated/extended the documentation

…ignoring them (#3710) Added `candidate.exists()` guard, then catch `MissingRequiredConfigKeyError` (skip) before catching `ValueError` (re-raise as `HandledError`). Mirrors the pattern already used in `_locate_source` and `_load_exact_sourc` Fixes: #3030  - [x] ran the linter to address style issues (`tox -e fix`) - [x] wrote descriptive pull request text - [x] ensured there are test(s) validating the fix - [x] added news fragment in `docs/changelog` folder - [ ] updated/extended the documentation

Subprocess output reading could deadlock on Windows during parallel test execution or when handling large amounts of output. The root cause was a chicken-and-egg problem where reader threads waited for the subprocess to close its pipes, but the subprocess wouldn't be terminated until after the readers exited. 🔒 This manifested as timeouts in CI when tox tried to clean up long-running backend processes. The fix adopts CPython's approach to subprocess stream handling. On Unix, we switched from `select.select()` to the `selectors` module with proper EOF detection and interrupt handling. On Windows, we use overlapped I/O with non-blocking polling, mirroring CPython's implementation. Most importantly, we reordered the shutdown sequence in `pep517_backend.py` to terminate subprocesses before stopping reader threads, ensuring pipes close and pending I/O operations complete naturally. ⚡ This eliminates arbitrary timeouts and race conditions in the process cleanup logic. The implementation now handles EINTR signals gracefully and reads larger chunks (32KB instead of 1KB) for better performance with high-volume output. **References:** - CPython's subprocess implementation: https://github.com/python/cpython/blob/main/Lib/subprocess.py - Windows overlapped I/O: https://docs.microsoft.com/en-us/windows/win32/fileio/synchronous-and-asynchronous-i-o - Python `selectors` module: https://docs.python.org/3/library/selectors.html - `_overlapped` module: https://github.com/python/cpython/blob/main/Modules/overlapped.c

The release script uses 'gh release create' to create GitHub releases, but the workflow wasn't providing authentication. This caused the release to fail with 'gh auth login' error. Co-Authored-By: Claude Opus 4.5 <[email protected]> Signed-off-by: Bernát Gábor <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Feb 15, 2026

Commits on Feb 16, 2026

Commits on Feb 17, 2026

This comparison is taking too long to generate.

Uh oh!