diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index 0ffc101a3f..0000000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1 +0,0 @@
-github: [tiangolo]
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 918a98f511..95c9f07cb9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,26 +4,47 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
- interval: "daily"
+ interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: ⬆
+ labels:
+ - "internal"
+ - "dependencies"
+ - "github_actions"
+ groups:
+ github-actions:
+ patterns:
+ - "*"
# Python
- package-ecosystem: "uv"
directory: "/"
schedule:
- interval: "daily"
+ interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: ⬆
+ groups:
+ python-packages:
+ dependency-type: "development"
+ patterns:
+ - "*"
# pre-commit
- package-ecosystem: "pre-commit"
directory: "/"
schedule:
- interval: "daily"
+ interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: ⬆
+ labels:
+ - "internal"
+ - "dependencies"
+ - "pre-commit"
+ groups:
+ pre-commit:
+ patterns:
+ - "*"
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 01a0824449..318c3c2fb0 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -14,7 +14,7 @@ jobs:
name: Add to project
runs-on: ubuntu-latest
steps:
- - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+ - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
with:
project-url: https://github.com/orgs/fastapi/projects/2
github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index d8e5d9e943..f30ea3bef9 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -34,14 +34,13 @@ jobs:
- docs_src/**
- pyproject.toml
- uv.lock
- - mkdocs.yml
- - mkdocs.env.yml
- .github/workflows/build-docs.yml
- .github/workflows/deploy-docs.yml
- - scripts/mkdocs_hooks.py
+ - scripts/docs.py
langs:
needs:
- changes
+ if: ${{ needs.changes.outputs.docs == 'true' }}
runs-on: ubuntu-latest
outputs:
langs: ${{ steps.show-langs.outputs.langs }}
@@ -103,21 +102,28 @@ jobs:
run: uv run ./scripts/docs.py update-languages
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
- key: mkdocs-cards-${{ matrix.lang }}-${{ github.ref }}
- path: docs/${{ matrix.lang }}/.cache
+ key: zensical-${{ matrix.lang }}-${{ github.ref }}
+ path: site_zensical_src/${{ matrix.lang }}/.cache
- name: Build Docs
run: | # zizmor: ignore[template-injection] - comes from trusted source
uv run ./scripts/docs.py build-lang ${{ matrix.lang }}
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: docs-site-${{ matrix.lang }}
- path: ./site/**
+ # English owns root static assets. Translated pages reference /img, /css,
+ # and /js, so omit duplicated language-local copies from artifacts.
+ path: |
+ ./site/**
+ !./site/${{ matrix.lang }}/img/**
+ !./site/${{ matrix.lang }}/css/**
+ !./site/${{ matrix.lang }}/js/**
include-hidden-files: true
# https://github.com/marketplace/actions/alls-green#why
docs-all-green: # This job does nothing and is only used for the branch protection
if: always()
needs:
+ - langs
- build-docs
runs-on: ubuntu-latest
steps:
@@ -125,4 +131,4 @@ jobs:
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
- allowed-skips: build-docs
+ allowed-skips: langs, build-docs
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 503aec2a85..be1d93b305 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -60,7 +60,7 @@ jobs:
env:
PROJECT_NAME: fastapitiangolo
BRANCH: ${{ ( github.event.workflow_run.head_repository.full_name == github.repository && github.event.workflow_run.head_branch == 'master' && 'main' ) || ( github.event.workflow_run.head_sha ) }}
- uses: cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3.15.0
+ uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4.0.0
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} # zizmor: ignore[secrets-outside-env]
diff --git a/.github/workflows/guard-dependencies.yml b/.github/workflows/guard-dependencies.yml
new file mode 100644
index 0000000000..c3f97c3752
--- /dev/null
+++ b/.github/workflows/guard-dependencies.yml
@@ -0,0 +1,52 @@
+name: Guard Dependencies
+
+on:
+ pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
+ branches: [master]
+ paths:
+ - pyproject.toml
+ - uv.lock
+
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
+
+jobs:
+ check-author:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check if author is org member or allowed bot
+ uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+ with:
+ script: |
+ const pr = context.payload.pull_request;
+ const author = pr.user.login;
+ const assoc = pr.author_association;
+
+ const botAllowlist = new Set(['dependabot[bot]']);
+ const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
+
+ const allowed =
+ botAllowlist.has(author) ||
+ (assoc != null && orgAuthorAssociations.has(assoc));
+
+ if (!allowed) {
+ await github.rest.issues.createComment({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ issue_number: context.payload.pull_request.number,
+ body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
+ });
+
+ await github.rest.pulls.update({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ pull_number: context.payload.pull_request.number,
+ state: 'closed'
+ });
+
+ core.setFailed('Dependency changes are restricted to organization members.');
+ } else {
+ console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
+ }
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 58c6892375..2072a3f0b9 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+ - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
- run: echo "Done adding labels"
# Run this after labeler applied labels
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 32d6ea4f98..f7f180e8e2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -29,6 +29,7 @@ jobs:
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.4"
+ enable-cache: "false"
- name: Build distribution
run: uv build
- name: Publish
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7380cb75e9..edcc49b309 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -81,6 +81,11 @@ jobs:
uv-resolution: highest
codspeed: codspeed
deprecated-tests: "no-deprecation"
+ - os: ubuntu-latest
+ python-version: "3.13"
+ uv-resolution: highest
+ deprecated-tests: "no-deprecation"
+ without-httpx2: true
- os: ubuntu-latest
python-version: "3.14"
coverage: coverage
@@ -129,15 +134,19 @@ jobs:
- name: Install deprecated libraries just for testing
if: matrix.deprecated-tests == 'test-deprecation'
run: uv pip install orjson ujson
+ - name: Uninstall httpx2 to run tests with httpx
+ if: matrix.without-httpx2 == 'true'
+ run: uv pip uninstall httpx2
- name: Reinstall SQLAlchemy without Cython extensions
if: matrix.python-version == '3.14t' && matrix.os == 'ubuntu-latest'
run: "DISABLE_SQLALCHEMY_CEXT=1 uv pip install --force-reinstall --no-binary :all: sqlalchemy"
- run: mkdir coverage
- name: Test
- run: uv run --no-sync bash scripts/test-cov.sh
+ run: uv run --no-sync bash scripts/test-cov.sh $PYTEST_OPTIONS
env:
COVERAGE_FILE: coverage/.coverage.${{ runner.os }}-py${{ matrix.python-version }}-${{ matrix.deprecated-tests}}
CONTEXT: ${{ runner.os }}-py${{ matrix.python-version }}-${{ matrix.deprecated-tests}}
+ PYTEST_OPTIONS: ${{ (matrix.without-httpx2 == 'true') && '-W ignore::UserWarning' || '' }}
# Do not store coverage for all possible combinations to avoid file size max errors in Smokeshow
- name: Store coverage files
if: matrix.coverage == 'coverage'
diff --git a/.gitignore b/.gitignore
index 243cdb93a5..2c0d859ad7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@ __pycache__
htmlcov
dist
site
+site_zensical_src
.coverage*
coverage.xml
.netlify
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index 7b94527252..0000000000
--- a/CONTRIBUTING.md
+++ /dev/null
@@ -1 +0,0 @@
-Please read the [Development - Contributing](https://fastapi.tiangolo.com/contributing/) guidelines in the documentation site.
diff --git a/README.md b/README.md
index 97f7944754..eb0368762b 100644
--- a/README.md
+++ b/README.md
@@ -70,6 +70,7 @@ The key features are:
+
diff --git a/SECURITY.md b/SECURITY.md
deleted file mode 100644
index 87e87e0ca1..0000000000
--- a/SECURITY.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Security Policy
-
-Security is very important for FastAPI and its community. 🔒
-
-Learn more about it below. 👇
-
-## Versions
-
-The latest version of FastAPI is supported.
-
-You are encouraged to [write tests](https://fastapi.tiangolo.com/tutorial/testing/) for your application and update your FastAPI version frequently after ensuring that your tests are passing. This way you will benefit from the latest features, bug fixes, and **security fixes**.
-
-You can learn more about [FastAPI versions and how to pin and upgrade them](https://fastapi.tiangolo.com/deployment/versions/) for your project in the docs.
-
-## Reporting a Vulnerability
-
-If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: security@tiangolo.com. Please try to be as explicit as possible, describing all the steps and example code to reproduce the security issue.
-
-I (the author, [@tiangolo](https://x.com/tiangolo)) will review it thoroughly and get back to you.
-
-## Public Discussions
-
-Please restrain from publicly discussing a potential security vulnerability. 🙊
-
-It's better to discuss privately and try to find a solution first, to limit the potential impact as much as possible.
-
----
-
-Thanks for your help!
-
-The FastAPI community and I thank you for that. 🙇
diff --git a/docs/de/docs/advanced/generate-clients.md b/docs/de/docs/advanced/generate-clients.md
index 12ba4072c4..4eab5bcb6f 100644
--- a/docs/de/docs/advanced/generate-clients.md
+++ b/docs/de/docs/advanced/generate-clients.md
@@ -30,7 +30,6 @@ Ihr Sponsoring zeigt auch ein starkes Engagement für die FastAPI-**Community**
Zum Beispiel könnten Sie ausprobieren:
-* [Speakeasy](https://speakeasy.com/editor?utm_source=fastapi+repo&utm_medium=github+sponsorship)
* [Stainless](https://www.stainless.com/?utm_source=fastapi&utm_medium=referral)
* [liblab](https://developers.liblab.com/tutorials/sdk-for-fastapi?utm_source=fastapi)
diff --git a/docs/de/docs/index.md b/docs/de/docs/index.md
index d2c2829591..d557554a12 100644
--- a/docs/de/docs/index.md
+++ b/docs/de/docs/index.md
@@ -1,3 +1,8 @@
+---
+include_yaml:
+ sponsors: data/sponsors.yml
+---
+
# FastAPI { #fastapi }