learningequality · marcellamaki · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,20 +4,29 @@ version: 2
 updates:
 
   # Maintain dependencies for Python
-  - package-ecosystem: "pip"
+  - package-ecosystem: "uv"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "wednesday"
+      interval: "monthly"
       time: "00:00"
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for Javascript
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "wednesday"
+      interval: "monthly"
       time: "00:00"
+    cooldown:
+      default-days: 7
+      exclude:
+        - kolibri-build
+        - kolibri-constants
+        - kolibri-design-system
+        - kolibri-format
+        - kolibri-i18n
+        - kolibri-logging
     groups:
       babel:
         patterns:
@@ -33,9 +42,10 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "wednesday"
+      interval: "monthly"
       time: "00:00"
+    cooldown:
+      default-days: 7
     groups:
       github:
         patterns:

diff --git a/.github/workflows/call-contributor-pr-reply.yml b/.github/workflows/call-contributor-pr-reply.yml
@@ -0,0 +1,12 @@
+name: Send reply on a new contributor pull request
+on:
+  pull_request_target:
+    types: [opened]
+jobs:
+  call-workflow:
+    name: Call shared workflow
+    uses: learningequality/.github/.github/workflows/contributor-pr-reply.yml@main
+    secrets:
+      LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }}
+      LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }}
+      SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL: ${{ secrets.SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL }}
@@ -4,6 +4,8 @@
    types: [opened]
 jobs:
  call-workflow:
+    permissions:
+      contents: read
    name: Call shared workflow
    uses: learningequality/.github/.github/workflows/contributor-pr-reply.yml@main
    secrets:
@@ -4,6 +4,8 @@
    types: [opened]
 jobs:
  call-workflow:
+    permissions:
+      contents: read
    name: Call shared workflow
    uses: learningequality/.github/.github/workflows/contributor-pr-reply.yml@main
    secrets:
diff --git a/.github/workflows/call-pull-request-target.yml b/.github/workflows/call-pull-request-target.yml
@@ -0,0 +1,11 @@
+name: Handle pull request events
+on:
+  pull_request_target:
+    types: [review_requested, labeled]
+jobs:
+  call-workflow:
+    name: Call shared workflow
+    uses: learningequality/.github/.github/workflows/pull-request-target.yml@main
+    secrets:
+      LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }}
+      LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }}
@@ -1,4 +1,6 @@
 name: Handle pull request events
+permissions:
+  contents: read
 on:
  pull_request_target:
    types: [review_requested, labeled]
@@ -1,4 +1,6 @@
 name: Handle pull request events
+permissions:
+  contents: read
 on:
  pull_request_target:
    types: [review_requested, labeled]
diff --git a/.github/workflows/update-pr-spreadsheet.yml → .../workflows/call-update-pr-spreadsheet.yml b/.github/workflows/update-pr-spreadsheet.yml → .../workflows/call-update-pr-spreadsheet.yml
@@ -1,12 +1,15 @@
 name: Update community pull requests spreadsheet
 on:
   pull_request_target:
-    types: [assigned,unassigned,opened,closed,reopened]
+    types: [assigned, unassigned, opened, closed, reopened, edited, review_requested, review_request_removed]
 
 jobs:
-  call-update-spreadsheet:
+  call-workflow:
+    name: Call shared workflow
     uses: learningequality/.github/.github/workflows/update-pr-spreadsheet.yml@main
     secrets:
+      LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }}
+      LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }}
       CONTRIBUTIONS_SPREADSHEET_ID: ${{ secrets.CONTRIBUTIONS_SPREADSHEET_ID }}
       CONTRIBUTIONS_SHEET_NAME: ${{ secrets.CONTRIBUTIONS_SHEET_NAME }}
       GH_UPLOADER_GCP_SA_CREDENTIALS: ${{ secrets.GH_UPLOADER_GCP_SA_CREDENTIALS }}
diff --git a/.github/workflows/containerbuild.yml b/.github/workflows/containerbuild.yml
@@ -32,32 +32,32 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout codebase
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@v4
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Log in to Docker Hub
       if: github.event_name != 'pull_request'
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@v6
       with:
         images: ghcr.io/learningequality/postgres
       env:
         DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
     - name: Build and push Docker image
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@v7
       with:
         context: ./docker
         file: ./docker/Dockerfile.postgres.dev
@@ -88,16 +88,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout codebase
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@v4
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Build Docker image
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@v7
       with:
         context: ./
         file: ./docker/Dockerfile.nginx.prod

diff --git a/.github/workflows/deploytest.yml b/.github/workflows/deploytest.yml
@@ -27,11 +27,11 @@ jobs:
     if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Use pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v5
     - name: Use Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '20.x'
         cache: 'pnpm'
@@ -47,29 +47,21 @@ jobs:
     if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python 3.10
-      uses: actions/setup-python@v5
+    - uses: actions/checkout@v6
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
       with:
         python-version: '3.10'
-    - name: pip cache
-      uses: actions/cache@v4
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pyprod-${{ hashFiles('requirements.txt') }}
-        restore-keys: |
-          ${{ runner.os }}-pyprod-
-    - name: Install pip-tools and python dependencies
+        activate-environment: "true"
+        enable-cache: "true"
+    - name: Install python dependencies with uv
       run: |
-        # Pin pip to 25.2 to avoid incompatibility with pip-tools and 25.3
-        # see https://github.com/jazzband/pip-tools/issues/2252
-        python -m pip install pip==25.2
-        pip install pip-tools
-        pip-sync requirements.txt
+        # Use uv to install dependencies directly from requirements files
+        uv pip sync requirements.txt
     - name: Use pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v5
     - name: Use Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '20.x'
         cache: 'pnpm'

diff --git a/.github/workflows/frontendtest.yml b/.github/workflows/frontendtest.yml
@@ -27,11 +27,11 @@ jobs:
     if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Use pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v5
     - name: Use Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '20.x'
         cache: 'pnpm'

diff --git a/.github/workflows/i18n-download.yml b/.github/workflows/i18n-download.yml
@@ -0,0 +1,87 @@
+name: Download translations from Crowdin
+
+on:
+  workflow_dispatch:
+
+jobs:
+  download:
+    name: Download translations and update files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: '3.10'
+          activate-environment: "true"
+          enable-cache: "true"
+
+      - name: Install Python dependencies
+        run: uv pip sync requirements.txt
+
+      - name: Use pnpm
+        uses: pnpm/action-setup@v5
+
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.x'
+          cache: 'pnpm'
+
+      - name: Setup Java for crowdin-cli
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Install gettext
+        run: sudo apt-get update && sudo apt-get install -y gettext
+
+      - name: Install JavaScript dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Download translations
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_API_KEY }}
+        run: make i18n-download
+
+      - name: Generate App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.LE_BOT_APP_ID }}
+          private-key: ${{ secrets.LE_BOT_PRIVATE_KEY }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v8
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          commit-message: |
+            Update translations from Crowdin
+
+            This includes:
+            - Updated translation files (.po and .json)
+            - Compiled Django messages (.mo files)
+            - Updated frontend i18n files
+          branch: i18n-update-${{ github.ref_name }}
+          base: ${{ github.ref_name }}
+          delete-branch: true
+          title: 'Update translations from Crowdin for ${{ github.ref_name }}'
+          body: |
+            ## Summary of changes
+
+            This PR updates translations downloaded from Crowdin.
+
+            ### Changes included:
+            - Updated translation files (`.po` and `.json`)
+            - Compiled Django messages (`.mo` files)
+            - Updated frontend i18n files
+
+            ### Testing checklist:
+            - [ ] Verify that translations are not obviously empty or untranslated in the message files
+            - [ ] Switch to a few different languages and navigate the app
+          labels: |
+            i18n
+            TAG: user strings
@@ -3,6 +3,10 @@
 on:
  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  download:
    name: Download translations and update files
@@ -3,6 +3,10 @@
 on:
  workflow_dispatch:

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  download:
    name: Download translations and update files
diff --git a/.github/workflows/i18n-upload.yml b/.github/workflows/i18n-upload.yml
@@ -0,0 +1,50 @@
+name: Upload translations to Crowdin
+
+on:
+  workflow_dispatch:
+
+jobs:
+  upload:
+    name: Extract and upload strings to Crowdin
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: '3.10'
+          activate-environment: "true"
+          enable-cache: "true"
+
+      - name: Install Python dependencies
+        run: uv pip sync requirements.txt
+
+      - name: Use pnpm
+        uses: pnpm/action-setup@v5
+
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.x'
+          cache: 'pnpm'
+
+      - name: Setup Java for crowdin-cli
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Install gettext
+        run: sudo apt-get update && sudo apt-get install -y gettext
+
+      - name: Install JavaScript dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Extract and upload strings to Crowdin
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_API_KEY }}
+        run: |
+          make i18n-upload
+          make i18n-pretranslate-approve-all
@@ -3,6 +3,9 @@
 on:
  workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
  upload:
    name: Extract and upload strings to Crowdin
@@ -3,6 +3,9 @@
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  upload:
    name: Extract and upload strings to Crowdin
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -31,14 +31,16 @@ jobs:
     if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
+    - uses: actions/checkout@v6
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
       with:
         python-version: '3.10'
+        ignore-nothing-to-cache: 'true'
     - name: Use pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v5
     - name: Use Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '20.x'
         cache: 'pnpm'