DM-43846: Prepare 1.7.1 release #392

	name: CI

	"on":
	push:
	branches-ignore:
	# These should always correspond to pull requests, so ignore them for
	# the push trigger and let them be triggered by the pull_request
	# trigger, avoiding running the workflow twice. This is a minor
	# optimization so there's no need to ensure this is comprehensive.
	- "dependabot/**"
	- "renovate/**"
	- "tickets/**"
	- "u/**"
	tags:
	- "*"
	pull_request: {}

	jobs:
	lint:
	runs-on: ubuntu-latest
	timeout-minutes: 5

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Run pre-commit
	uses: pre-commit/action@v3.0.1

	test:
	runs-on: ubuntu-latest
	timeout-minutes: 10

	strategy:
	matrix:
	python:
	- "3.12"

	steps:
	- uses: actions/checkout@v4

	- name: Run tox
	uses: lsst-sqre/run-tox@v1
	with:
	python-version: ${{ matrix.python }}
	tox-envs: "py,coverage-report,typing"
	tox-plugins: tox-uv

	build:
	runs-on: ubuntu-latest
	needs: [lint, test]
	timeout-minutes: 10

	# Only do Docker builds of tagged releases and pull requests from ticket
	# branches. This will still trigger on pull requests from untrusted
	# repositories whose branch names match our tickets/* branch convention,
	# but in this case the build will fail with an error since the secret
	# won't be set.
	if: >
	startsWith(github.ref, 'refs/tags/')
	\|\| startsWith(github.head_ref, 'tickets/')

	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- uses: lsst-sqre/build-and-push-to-ghcr@v1
	id: build
	with:
	image: ${{ github.repository }}
	github_token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback