Chore: Update DevOps tooling from central repository [skip ci]

.github/workflows/bootstrap.yaml

@@ -212,8 +212,8 @@ jobs:
             git branch -D "$AUTOMATION_BRANCH" || :
             git checkout -b "$AUTOMATION_BRANCH"
           else
-            # The -B flag swaps branch and creates it if NOT present
-            git checkout -B "$AUTOMATION_BRANCH"
+            git fetch origin "$AUTOMATION_BRANCH"
+            git switch -c "$AUTOMATION_BRANCH" "origin/$AUTOMATION_BRANCH"
           fi
 
           # Only if NOT running in GitHub

.github/workflows/builds.yaml

@@ -10,22 +10,34 @@ on:
       - "*"
       - "!update-devops-tooling"
 
+env:
+  package-path: "dist/"
+
 jobs:
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+  get-python-versions:
+    name: "Validate Python project"
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  test-builds:
-    name: "Build: Python"
-    needs: [parse-project-metadata]
+      - name: "Parse: pyproject.toml"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
+
+  builds:
+    name: "Python builds"
+    needs: [get-python-versions]
     runs-on: "ubuntu-latest"
     continue-on-error: true
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Populate environment variables"
@@ -81,8 +93,8 @@ jobs:
             python -m build
           fi
 
-      - name: "Validating Artefacts with Twine"
-        run: |
-          echo "Validating artefacts with: twine check dist/*"
-          pip install --upgrade twine
-          twine check dist/*
+      - name: "Validate Artefacts with Twine"
+        id: twine-check-artefacts
+        env:
+          package-path: ${{ env.package-path }}
+        uses: os-climate/devops-reusable-workflows/.github/actions/twine-check-artefacts@main

.github/workflows/codeql.yml

@@ -0,0 +1,83 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "🔐 CodeQL"
+
+on:
+  push:
+    branches: [ "main", "gh-pages", "master" ]
+  pull_request:
+    branches: [ "main", "gh-pages", "master" ]
+  schedule:
+    - cron: '39 20 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: python
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language':
+        #  'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/release.yaml

@@ -1,17 +1,13 @@
 ---
-name: "🐍📦 Production build and release"
+name: "🐍📦 Old Production build and release"
 
 # GitHub/PyPI trusted publisher documentation:
 # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
 
 # yamllint disable-line rule:truthy
 on:
-  # workflow_dispatch:
   push:
     # Only invoked on release tag pushes
-    branches:
-      - 'main'
-      - 'master'
     tags:
       - 'v*.*.*'
 
@@ -28,8 +24,9 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions:
-      # IMPORTANT: mandatory for Sigstore
+      contents: write
       id-token: write
+
     steps:
       ### BUILDING ###
 
@@ -44,10 +41,20 @@ jobs:
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4
 
+      - name: "Fetch current semantic tag"
+        id: fetch-tags
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/latest-semantic-tag@main
+
       - name: "Update version from tags for production release"
         run: |
-          echo "Github versioning: ${{ github.ref_name }}"
-          scripts/release-versioning.sh
+          echo "Github tag/versioning: ${{ github.ref_name }}"
+          if (grep 'dynamic = \[\"version\"\]' pyproject.toml > /dev/null); then
+            echo "Proceeding build with dynamic versioning"
+          else
+            echo "Using legacy script to bump release version"
+            scripts/release-versioning.sh
+          fi
 
       - name: "Build with PDM backend"
         run: |
@@ -56,7 +63,8 @@ jobs:
       ### SIGNING ###
 
       - name: "Sign packages with Sigstore"
-        uses: sigstore/gh-action-sigstore-python@v2
+        # Use new action
+        uses: sigstore/[email protected]
         with:
           inputs: >-
             ./dist/*.tar.gz
@@ -72,8 +80,6 @@ jobs:
 
   github:
     name: "📦 Publish to GitHub"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - build
     runs-on: ubuntu-latest
@@ -94,20 +100,17 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           prerelease: false
           tag_name: ${{ github.ref_name }}
-          name: "Test/Development Build \
-            ${{ github.ref_name }}"
+          name: ${{ github.ref_name }}"
           # body_path: ${{ github.workspace }}/CHANGELOG.rst
           files: |
             dist/*.tar.gz
             dist/*.whl
-            dist/*.sigstore
+            dist/*.sigstore*
 
   ### PUBLISH PYPI TEST ###
 
   testpypi:
-    name: "📦 Publish to PyPi Test"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
+    name: "📦 Test publishing to PyPI"
     needs:
       - build
     runs-on: ubuntu-latest
@@ -128,9 +131,9 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
-      - name: Publish distribution to Test PyPI
+      - name: "Test publishing to PyPI"
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
@@ -140,8 +143,6 @@ jobs:
 
   pypi:
     name: "📦 Publish to PyPi"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - testpypi
     runs-on: ubuntu-latest
@@ -162,7 +163,7 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4

.github/workflows/security.yaml

@@ -16,21 +16,29 @@ on:
       - "!update-devops-tooling"
 
 jobs:
+  get-python-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+      - name: "Populate environment variables"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
 
-  build:
-    name: "Audit Python dependencies"
-    needs: [parse-project-metadata]
-    runs-on: ubuntu-latest
+  builds:
+    name: "Python builds"
+    needs: [get-python-versions]
+    runs-on: "ubuntu-latest"
+    continue-on-error: true
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Checkout repository"
@@ -57,4 +65,4 @@ jobs:
           pdm list --graph
 
       - name: "Run: pip-audit"
-        uses: pypa/gh-action-pip-audit@v1.1.0
+        uses: pypa/gh-action-pip-audit@v1.0.8

.github/workflows/testing.yaml

@@ -11,21 +11,28 @@ on:
       - "!update-devops-tooling"
 
 jobs:
+  get-python-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+      - name: "Populate environment variables"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
 
   testing:
     name: "Run unit tests"
-    needs: [parse-project-metadata]
+    needs: [get-python-versions]
     runs-on: ubuntu-latest
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Checkout repository"