matthewdeanmartin
diff --git a/‎.config/.flake8‎
Lines changed: 0 additions & 11 deletions b/‎.config/.flake8‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎.config/.license_rules‎
Lines changed: 0 additions & 48 deletions b/‎.config/.license_rules‎
Lines changed: 0 additions & 48 deletions
diff --git a/‎.config/requirements-dev.txt‎
Lines changed: 0 additions & 35 deletions b/‎.config/requirements-dev.txt‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎.config/requirements.txt‎
Lines changed: 0 additions & 18 deletions b/‎.config/requirements.txt‎
Lines changed: 0 additions & 18 deletions
diff --git a/‎.config/requirements_for_safety.txt‎
Lines changed: 0 additions & 50 deletions b/‎.config/requirements_for_safety.txt‎
Lines changed: 0 additions & 50 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 25 additions & 40 deletions b/‎.github/workflows/build.yml‎
Lines changed: 25 additions & 40 deletions
diff --git a/‎.github/workflows/publish_pycodetags_to_pypi.yml‎
Lines changed: 83 additions & 0 deletions b/‎.github/workflows/publish_pycodetags_to_pypi.yml‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎.github/workflows/zizmor.yml‎
Lines changed: 43 additions & 0 deletions b/‎.github/workflows/zizmor.yml‎
Lines changed: 43 additions & 0 deletions
@@ -2,60 +2,45 @@ name: Build and Test
 
 on: [ push ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: '3.11'
-          cache: 'pipenv' # caching pipenv dependencies
-      - name: Install pipenv and pipx
+          python-version: '3.13'
+
+      - name: Install uv and pipx
         run: |
-          pip install pipenv && pip install pipx
+          pip install uv && pip install pipx
 
       - name: Install global dependencies
         run: |
-          pipx install isort && pipx install black && pipx install bandit && pipx install pylint && \
-          pipx install pre-commit && pipx install pygount && pipx install vulture && \
-          pipx install flake8 && \
-          pipx inject flake8 dlint mccabe pyflakes pep8-naming flake8-bugbear && \
-          pipx install "pipenv-to-requirements==0.9.*" && \
-          pipx inject pipenv-to-requirements "pipenv==2022.9.8" && \
-          pipx install safety && pipx install pyupgrade && pipx install poetry
+          pipx install uv && pipx install "coderoller" && \
+          pipx install isort && pipx install black && pipx install bandit && \
+          pipx install pylint && pipx install pre-commit && pipx install poetry && pipx install hatch
 
       - name: Install Dependencies
-        run: pipenv install --dev --skip-lock
+        run: uv sync
 
-      - name: Run nb
-        run: pipenv run nb package
+      - name: Run make check
+        run: chmod +x *.sh && uv run make check
 
-      - name: Upload Package
-        uses: actions/upload-artifact@v3.1.2
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         with:
-          name: packages
-          path: dist/
-          if-no-files-found: error
-          retention-days: 1
+          token: ${{ secrets.CODECOV_TOKEN }}
 
-
-  pypi-publish:
-    name: Upload release to PyPI
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://pypi.org/p/jiggle-version
-    permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
-    # if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-    steps:
-      - name: Get packages
-        uses: actions/download-artifact@v3.0.2
+      - name: Upload test results to Codecov
+        if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
         with:
-          name: packages
-          path: dist/
-      - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-    needs: build
+          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,83 @@
+# .github/workflows/publish-to-pypi.yml
+
+name: Publish jiggle_version to PyPI
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.13'
+
+      - name: Install uv and pipx
+        run: |
+          pip install uv && pip install pipx
+
+      - name: Install global dependencies
+        run: |
+          pipx install uv && pipx install "coderoller" && \
+          pipx install isort && pipx install black && pipx install bandit && \
+          pipx install pylint && pipx install pre-commit && pipx install poetry && pipx install hatch
+
+      - name: Install Dependencies
+        run: uv sync
+
+      - name: Run make check
+        run: chmod +x *.sh && uv run make check
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Run make publish
+        run: uv run make publish
+
+      - name: Upload Package
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: packages
+          path: dist/
+          if-no-files-found: error
+          retention-days: 1
+
+  pypi-publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/jiggle_version
+    permissions:
+      id-token: write
+    needs: build
+    steps:
+      - name: Fail if branch is not main
+        if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
+        run: |
+          echo "This workflow should not be triggered with workflow_dispatch on a branch other than main"
+          exit 1
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Download artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: packages
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
@@ -0,0 +1,43 @@
+# https://github.com/woodruffw/zizmor
+name: Zizmor
+
+on:
+  push:
+    paths:
+      - .github/**
+    branches: ["main"]
+  pull_request:
+    paths:
+      - .github/**
+    branches: ["*"]
+
+permissions:
+  contents: read
+
+
+jobs:
+  zizmor:
+    name: Zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor