Chore: Update DevOps tooling from central repository [skip ci]

.github/workflows/bootstrap.yaml

@@ -212,7 +212,6 @@ jobs:
             git branch -D "$AUTOMATION_BRANCH" || :
             git checkout -b "$AUTOMATION_BRANCH"
           else
-            # The -B flag swaps branch and creates it if NOT present
             git fetch origin "$AUTOMATION_BRANCH"
             git switch -c "$AUTOMATION_BRANCH" "origin/$AUTOMATION_BRANCH"
           fi

.github/workflows/builds.yaml

@@ -10,22 +10,34 @@ on:
       - "*"
       - "!update-devops-tooling"
 
+env:
+  package-path: "dist/"
+
 jobs:
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+  get-python-versions:
+    name: "Validate Python project"
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  test-builds:
-    name: "Build: Python"
-    needs: [parse-project-metadata]
+      - name: "Parse: pyproject.toml"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
+
+  builds:
+    name: "Python builds"
+    needs: [get-python-versions]
     runs-on: "ubuntu-latest"
     continue-on-error: true
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Populate environment variables"
@@ -81,8 +93,8 @@ jobs:
             python -m build
           fi
 
-      - name: "Validating Artefacts with Twine"
-        run: |
-          echo "Validating artefacts with: twine check dist/*"
-          pip install --upgrade twine
-          twine check dist/*
+      - name: "Validate Artefacts with Twine"
+        id: twine-check-artefacts
+        env:
+          package-path: ${{ env.package-path }}
+        uses: os-climate/devops-reusable-workflows/.github/actions/twine-check-artefacts@main

.github/workflows/release.yaml

@@ -1,17 +1,13 @@
 ---
-name: "🐍📦 Production build and release"
+name: "🐍📦 Old Production build and release"
 
 # GitHub/PyPI trusted publisher documentation:
 # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
 
 # yamllint disable-line rule:truthy
 on:
-  # workflow_dispatch:
   push:
     # Only invoked on release tag pushes
-    branches:
-      - 'main'
-      - 'master'
     tags:
       - 'v*.*.*'
 
@@ -28,8 +24,9 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions:
-      # IMPORTANT: mandatory for Sigstore
+      contents: write
       id-token: write
+
     steps:
       ### BUILDING ###
 
@@ -44,10 +41,20 @@ jobs:
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4
 
+      - name: "Fetch current semantic tag"
+        id: fetch-tags
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/latest-semantic-tag@main
+
       - name: "Update version from tags for production release"
         run: |
-          echo "Github versioning: ${{ github.ref_name }}"
-          scripts/release-versioning.sh
+          echo "Github tag/versioning: ${{ github.ref_name }}"
+          if (grep 'dynamic = \[\"version\"\]' pyproject.toml > /dev/null); then
+            echo "Proceeding build with dynamic versioning"
+          else
+            echo "Using legacy script to bump release version"
+            scripts/release-versioning.sh
+          fi
 
       - name: "Build with PDM backend"
         run: |
@@ -56,7 +63,8 @@ jobs:
       ### SIGNING ###
 
       - name: "Sign packages with Sigstore"
-        uses: sigstore/gh-action-sigstore-python@v2
+        # Use new action
+        uses: sigstore/[email protected]
         with:
           inputs: >-
             ./dist/*.tar.gz
@@ -72,8 +80,6 @@ jobs:
 
   github:
     name: "📦 Publish to GitHub"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - build
     runs-on: ubuntu-latest
@@ -94,20 +100,17 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           prerelease: false
           tag_name: ${{ github.ref_name }}
-          name: "Test/Development Build \
-            ${{ github.ref_name }}"
+          name: ${{ github.ref_name }}"
           # body_path: ${{ github.workspace }}/CHANGELOG.rst
           files: |
             dist/*.tar.gz
             dist/*.whl
-            dist/*.sigstore
+            dist/*.sigstore*
 
   ### PUBLISH PYPI TEST ###
 
   testpypi:
-    name: "📦 Publish to PyPi Test"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
+    name: "📦 Test publishing to PyPI"
     needs:
       - build
     runs-on: ubuntu-latest
@@ -128,9 +131,9 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
-      - name: Publish distribution to Test PyPI
+      - name: "Test publishing to PyPI"
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
@@ -140,8 +143,6 @@ jobs:
 
   pypi:
     name: "📦 Publish to PyPi"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - testpypi
     runs-on: ubuntu-latest
@@ -162,7 +163,7 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4

.github/workflows/security.yaml

@@ -16,21 +16,29 @@ on:
       - "!update-devops-tooling"
 
 jobs:
+  get-python-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+      - name: "Populate environment variables"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
 
-  build:
-    name: "Audit Python dependencies"
-    needs: [parse-project-metadata]
-    runs-on: ubuntu-latest
+  builds:
+    name: "Python builds"
+    needs: [get-python-versions]
+    runs-on: "ubuntu-latest"
+    continue-on-error: true
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Checkout repository"

.github/workflows/testing.yaml

@@ -11,21 +11,28 @@ on:
       - "!update-devops-tooling"
 
 jobs:
+  get-python-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}
+
+    steps:
+      - uses: actions/checkout@v4
 
-  parse-project-metadata:
-    name: "Determine Python versions"
-    # yamllint disable-line rule:line-length
-    uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
+      - name: "Populate environment variables"
+        id: parse-project-metadata
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main
 
   testing:
     name: "Run unit tests"
-    needs: [parse-project-metadata]
+    needs: [get-python-versions]
     runs-on: ubuntu-latest
     # Don't run when pull request is merged
     if: github.event.pull_request.merged == false
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}
 
     steps:
       - name: "Checkout repository"

.pre-commit-config.yaml

@@ -1,9 +1,6 @@
 ---
 ci:
   autofix_commit_msg: "Chore: pre-commit autoupdate"
-  skip:
-    # pre-commit.ci cannot install WGET, so tomlint must be disabled
-    - tomllint
 
 exclude: |
   (?x)^(
@@ -13,21 +10,10 @@ exclude: |
 
 repos:
 
-  - repo: local
-    hooks:
-      - id: tomllint
-        name: "Script: scripts/tomllint.sh"
-        language: script
-        # pass_filenames: false
-        files: \^*.toml
-        types: [file]
-        entry: scripts/tomllint.sh .
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
     hooks:
       - id: check-added-large-files
-      - id: check-ast
       - id: check-case-conflict
       - id: check-executables-have-shebangs
       - id: check-json
@@ -38,17 +24,15 @@ repos:
       # - id: detect-aws-credentials
       - id: check-xml
       - id: check-yaml
-      - id: debug-statements
       - id: detect-private-key
       - id: end-of-file-fixer
-      - id: mixed-line-ending
-        args: ["--fix=lf"]
+      # - id: mixed-line-ending
+      #  args: ["--fix=lf"]
       - id: name-tests-test
         args: ["--pytest-test-first"]
       - id: no-commit-to-branch
       # - id: pretty-format-json
       - id: requirements-txt-fixer
-      - id: trailing-whitespace
 
   - repo: https://github.com/pre-commit/mirrors-prettier
     rev: v4.0.0-alpha.8
@@ -78,47 +62,36 @@ repos:
     rev: v0.10.0.1
     hooks:
       - id: shellcheck
-
-  - repo: https://github.com/pycqa/pydocstyle.git
-    rev: 6.3.0
-    hooks:
-      - id: pydocstyle
-        additional_dependencies: ["tomli"]
+        args: ["-x"]  # Check external files
 
   - repo: https://github.com/Mateusz-Grzelinski/actionlint-py
     rev: v1.7.1.15
     hooks:
       - id: actionlint
 
-  - repo: https://github.com/pycqa/flake8
-    rev: "7.1.0"
-    hooks:
-      - id: flake8
-        additional_dependencies:
-        - pep8-naming
-
   - repo: https://github.com/adrienverge/yamllint.git
     rev: v1.35.1
     hooks:
       - id: yamllint
-        args: [ "-d", "{rules: {line-length: {max: 120}}, ignore-from-file: [.gitignore],}", ]
+        args:
+          ["-d", "{rules: {line-length: {max: 120}},
+          ignore-from-file: [.gitignore],}"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.5.4
     hooks:
       - id: ruff
-        files: ^(scripts|tests|custom_components)/.+\.py$
-        args: [--fix, --exit-non-zero-on-fix]
+        args: [--fix, --exit-non-zero-on-fix, --config=pyproject.toml]
       - id: ruff-format
-        files: ^(scripts|tests|custom_components)/.+\.py$
 
   - repo: local
     hooks:
       - id: mypy-cache
         name: "create mypy cache"
         language: system
         pass_filenames: false
-        entry: bash -c 'if [ ! -d .mypy_cache ]; then /bin/mkdir .mypy_cache; fi; exit 0'
+        entry: bash -c 'if [ ! -d .mypy_cache ];
+          then /bin/mkdir .mypy_cache; fi; exit 0'
 
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: "v1.11.0"
@@ -128,22 +101,17 @@ repos:
         args: ["--show-error-codes", "--install-types", "--non-interactive"]
         additional_dependencies: ["pytest", "types-requests"]
 
+# yamllint disable rule:comments-indentation
   # Check for misspellings in documentation files
   # - repo: https://github.com/codespell-project/codespell
   #   rev: v2.2.2
   #   hooks:
-  #   - id: codespell
-
-  # To embrace black styles, even in docs
-  # - repo: https://github.com/asottile/blacken-docs
-  #   rev: v1.13.0
-  #   hooks:
-  #   - id: blacken-docs
-  #     additional_dependencies: [black]
+  #     - id: codespell
 
   # Automatically upgrade Python syntax for newer versions
   # - repo: https://github.com/asottile/pyupgrade
   #   rev: v3.15.0
   #   hooks:
   #     - id: pyupgrade
   #       args: ['--py37-plus']
+# yamllint enable rule:comments-indentation