bckohan
diff --git a/‎.github/dependabot.yml‎
Lines changed: 12 additions & 2 deletions b/‎.github/dependabot.yml‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 24 additions & 18 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 24 additions & 18 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 144 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 61 additions & 0 deletions
@@ -5,7 +5,17 @@
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "daily"
+    commit-message:
+      prefix: ⬆
+  # Python
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: ⬆
@@ -1,14 +1,19 @@
-name: lint
+name: Lint
 
+permissions:
+  contents: read
+  
 on:
   push:
   pull_request:
+  workflow_call:
   workflow_dispatch:
     inputs:
       debug:
-        description: 'Set to on, to open ssh debug session.'
+        description: 'Open ssh debug session.'
         required: true
-        default: 'off'
+        default: false
+        type: boolean
 
 jobs:
 
@@ -17,37 +22,38 @@ jobs:
     strategy:
       matrix:
         # run static analysis on bleeding and trailing edges
-        python-version: [ '3.8', '3.10', '3.12', '3.13.0-rc.1' ]
+        python-version: [ '3.8', '3.10', '3.13' ]
 
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry
-        uses: snok/install-poetry@v1
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
         with:
-          virtualenvs-create: true
-          virtualenvs-in-project: true
+          enable-cache: true
+      - name: Install Just
+        uses: extractions/setup-just@v2
       - name: Install Dependencies
         run: |
-          poetry config virtualenvs.in-project true
-          poetry run pip install --upgrade pip
-          poetry install
+          just setup ${{ steps.sp.outputs.python-path }}
+          just install-docs
       - name: Install Emacs
-        if: ${{ github.event.inputs.debug == 'on' }}
+        if: ${{ github.event.inputs.debug == 'true' }}
         run: |
           sudo apt install emacs
       - name: Setup tmate session
-        if: ${{ github.event.inputs.debug == 'on' }}
-        uses: mxschmitt/action-tmate@v3
+        if: ${{ github.event.inputs.debug == 'true' }}
+        uses: mxschmitt/action-tmate@v3.19
         with:
           detached: true
         timeout-minutes: 60
       - name: Run Static Analysis
         run: |
-          source .venv/bin/activate
-          ./check.sh --no-fix
-          python -m readme_renderer ./README.md -o /tmp/README.html
-          echo "$(poetry env info --path)/bin" >> $GITHUB_PATH
+          just check-lint
+          just check-format
+          just check-types
+          just check-package
+          just check-readme
@@ -0,0 +1,144 @@
+
+name: Publish Release
+
+permissions: read-all
+
+concurrency:
+  # stop previous release runs if tag is recreated
+  group: release-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - 'v*'  # only publish on version tags (e.g. v1.0.0)
+
+jobs:
+
+  lint:
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
+
+  test:
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
+  build:
+    name: Build Package
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+    outputs:
+      PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
+      RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ">=3.11"  # for tomlib
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
+    - name: Setup Just
+      uses: extractions/setup-just@v2
+    - name: Verify Tag
+      run: |
+        TAG_NAME=${GITHUB_REF#refs/tags/}
+        echo "Verifying tag $TAG_NAME..."
+        # if a tag was deleted and recreated we may have the old one cached
+        # be sure that we're publishing the current tag!
+        git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME
+
+        # verify signature
+        curl -sL https://github.com/${{ github.actor }}.gpg | gpg --import 
+        git tag -v "$TAG_NAME"
+
+        # verify version
+        RELEASE_VERSION=$(just validate_version $TAG_NAME)
+
+        # export the release version
+        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV 
+    - name: Build the binary wheel and a source tarball
+      run: just build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Set Package Name
+      id: set-package
+      run:
+        PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])")
+        echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV
+
+  publish-to-pypi:
+    name: Publish to PyPI
+    needs:
+      - lint
+      - test
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/${{ needs.build.outputs.PACKAGE_NAME }}
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1.12
+
+  github-release:
+    name: Publish GitHub Release
+    runs-on: ubuntu-latest
+    needs:
+      - lint
+      - test
+      - build
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v3.0.0
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --repo '${{ github.repository }}'
+        --generate-notes
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
@@ -0,0 +1,61 @@
+name: OpenSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  push:
+    branches: [ main ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif