feat: init repo (#1)

Author: wislertt

.codecov.yml

@@ -0,0 +1,8 @@
+coverage:
+    status:
+        project:
+            default:
+                target: 70%
+        patch:
+            default:
+                target: 70%

.github/renovate.json5

@@ -0,0 +1,4 @@
+{
+    $schema: "https://docs.renovatebot.com/renovate-schema.json",
+    extends: ["config:recommended"],
+}

.github/workflows/cd.yml

@@ -0,0 +1,72 @@
+name: cd
+
+on:
+    push:
+        branches:
+            - main
+    workflow_dispatch:
+
+permissions:
+    contents: write
+    issues: write
+    pull-requests: write
+
+jobs:
+    # ====================================================
+    # Versioning and Release
+    # ====================================================
+    semantic-release:
+        name: semantic-release
+        uses: wislertt/zerv/.github/workflows/shared-semantic-release.yml@v0
+        with:
+            allowed_workflow_dispatch_branches: '["main"]'
+            fail_on_invalid_workflow_dispatch_ref: true
+
+    zerv-versioning:
+        needs: semantic-release
+        if: needs.semantic-release.outputs.is_valid_semantic_release == 'true'
+        uses: wislertt/zerv/.github/workflows/shared-zerv-versioning.yml@v0
+
+    create-version-prefix-tags:
+        needs: zerv-versioning
+        uses: wislertt/zerv/.github/workflows/shared-create-tags.yml@v0
+        with:
+            tags: >-
+                [
+                  "${{ fromJson(needs.zerv-versioning.outputs.versions).v_major }}",
+                  "${{ fromJson(needs.zerv-versioning.outputs.versions).v_major_minor }}"
+                ]
+
+    # ====================================================
+    # Test and Lint
+    # ====================================================
+    test:
+        uses: ./.github/workflows/test.yml
+        secrets:
+            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    pre-commit:
+        uses: ./.github/workflows/pre-commit.yml
+
+    # ====================================================
+    # Deployment
+    # ====================================================
+    publish-pypi:
+        needs: zerv-versioning
+        uses: ./.github/workflows/publish.yml
+        with:
+            version: ${{ fromJson(needs.zerv-versioning.outputs.versions).pep440 }}
+            python_version: "3.14"
+        secrets:
+            PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+
+    publish-test-pypi:
+        needs: zerv-versioning
+        uses: ./.github/workflows/publish.yml
+        with:
+            version: ${{ fromJson(needs.zerv-versioning.outputs.versions).pep440 }}
+            python_version: "3.14"
+            repository_url: https://test.pypi.org/legacy/
+        secrets:
+            PYPI_API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}

.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: ci
+
+on:
+    pull_request:
+        types: [labeled, unlabeled, opened, synchronize, reopened]
+
+permissions:
+    contents: write
+    id-token: write
+
+jobs:
+    # ====================================================
+    # Versioning and Release
+    # ====================================================
+    check-pre-release:
+        name: check-pre-release
+        uses: wislertt/zerv/.github/workflows/shared-check-pr-label-and-branch.yml@v0
+        with:
+            target_label: "pre-release"
+            branch_prefixes: '["release/"]'
+            branch_names: '["develop"]'
+
+    zerv-versioning:
+        name: zerv-versioning
+        needs: check-pre-release
+        uses: wislertt/zerv/.github/workflows/shared-zerv-versioning.yml@v0
+        with:
+            schema: ${{ (needs.check-pre-release.outputs.is_valid == 'true' && 'standard-base-prerelease-post') || '' }}
+
+    tag-pre-release:
+        name: tag-pre-release
+        needs: [zerv-versioning, check-pre-release]
+        if: needs.check-pre-release.outputs.is_valid == 'true'
+        uses: wislertt/zerv/.github/workflows/shared-create-tags.yml@v0
+        with:
+            tags: '["${{ fromJson(needs.zerv-versioning.outputs.versions).v_semver }}"]'
+
+    # ====================================================
+    # Test and Lint
+    # ====================================================
+    test:
+        uses: ./.github/workflows/test.yml
+        secrets:
+            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    pre-commit:
+        uses: ./.github/workflows/pre-commit.yml
+
+    # ====================================================
+    # Deployment
+    # ====================================================
+    publish-test-pypi:
+        if: needs.check-pre-release.outputs.is_valid == 'true'
+        needs: [zerv-versioning, check-pre-release]
+        uses: ./.github/workflows/publish.yml
+        with:
+            version: ${{ fromJson(needs.zerv-versioning.outputs.versions).pep440 }}
+            python_version: "3.14"
+            repository_url: https://test.pypi.org/legacy/
+        secrets:
+            PYPI_API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}

.github/workflows/pre-commit.yml

@@ -0,0 +1,48 @@
+name: pre-commit
+
+on:
+    workflow_call:
+
+jobs:
+    pre-commit:
+        runs-on: ubuntu-latest
+        steps:
+            - name: checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              with:
+                  fetch-depth: 0
+                  submodules: recursive
+                  token: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: setup-python
+              uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+              with:
+                  python-version: "3.14"
+
+            - name: setup-uv
+              uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+              with:
+                  version: "latest"
+                  enable-cache: true
+
+            - name: cache-uv
+              uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+              with:
+                  path: ${{ github.workspace }}/.venv
+                  key: uv-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+                  restore-keys: |
+                      uv-${{ runner.os }}-py${{ matrix.python-version }}-
+                      uv-${{ runner.os }}-
+
+            - name: install-dependencies
+              run: uv sync --all-groups
+
+            - name: setup-bun
+              uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+              with:
+                  bun-version: latest
+
+            - name: run-pre-commit
+              uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+              with:
+                  extra_args: --all-files

.github/workflows/publish.yml

@@ -0,0 +1,53 @@
+name: publish-python-package
+
+on:
+    workflow_call:
+        inputs:
+            version:
+                required: true
+                type: string
+                description: "PEP440 version string"
+            repository_url:
+                required: false
+                type: string
+                description: "PyPI repository URL (default: official PyPI)"
+                default: ""
+            python_version:
+                required: false
+                type: string
+                description: "Python version"
+        secrets:
+            PYPI_API_TOKEN:
+                required: true
+
+jobs:
+    publish:
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: update-version-in-pyproject-toml
+              run: |
+                  sed -i.bak 's/^version = .*/version = "${{ inputs.version }}"/' pyproject.toml
+                  grep '^version' pyproject.toml
+
+            - name: setup-python
+              uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+              with:
+                  python-version: ${{ inputs.python_version }}
+
+            - name: setup-uv
+              uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+
+            - name: build-package
+              run: uv build
+
+            - name: publish-to-pypi
+              uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+              with:
+                  repository-url: ${{ inputs.repository_url || '' }}
+                  password: ${{ secrets.PYPI_API_TOKEN }}
+                  verbose: true
+                  skip-existing: true

.github/workflows/security.yml

@@ -0,0 +1,37 @@
+name: security
+on:
+    push:
+    workflow_dispatch:
+    schedule:
+        - cron: "0 4 * * *" # run once a day at 4 AM
+
+jobs:
+    trivy-scan:
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: run-trivy-scan
+              uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+              with:
+                  scan-type: fs
+                  format: table
+                  exit-code: "1"
+                  vuln-type: "os,library"
+
+    gitleaks:
+        name: gitleaks
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              with:
+                  fetch-depth: 0
+
+            - name: run-gitleaks
+              uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pull-request.yml

@@ -0,0 +1,19 @@
+name: ci
+
+on:
+    pull_request:
+        branches: [main]
+        types: [opened, edited, synchronize, reopened]
+
+permissions:
+    pull-requests: read
+
+jobs:
+    semantic-pull-request:
+        name: semantic-pull-request
+        runs-on: ubuntu-latest
+        steps:
+            - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+              name: validate-py-title
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,73 @@
+name: Reusable Test Workflow
+
+on:
+    workflow_call:
+        inputs:
+            python_versions:
+                type: string
+                default: "['3.10', '3.11', '3.12', '3.13', '3.14']"
+                description: "JSON array of Python versions to test"
+            target_python_version:
+                type: string
+                default: "3.14"
+                description: "Python version to use for coverage and SonarQube scans"
+            upload_coverage:
+                type: boolean
+                default: true
+                description: "Whether to upload coverage reports"
+        secrets:
+            SONAR_TOKEN:
+                required: false
+            CODECOV_TOKEN:
+                required: false
+
+jobs:
+    test:
+        runs-on: ubuntu-latest
+        strategy:
+            matrix:
+                python-version: ${{ fromJson(inputs.python_versions) }}
+
+        steps:
+            - name: checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: setup-python
+              uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+              with:
+                  python-version: ${{ matrix.python-version }}
+
+            - name: setup-uv
+              uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+              with:
+                  version: "latest"
+                  enable-cache: true
+
+            - name: cache-uv
+              uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+              with:
+                  path: ${{ github.workspace }}/.venv
+                  key: uv-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+                  restore-keys: |
+                      uv-${{ runner.os }}-py${{ matrix.python-version }}-
+                      uv-${{ runner.os }}-
+
+            - name: install-dependencies
+              run: uv sync --all-groups --frozen
+
+            - name: run-tests
+              run: make test
+
+            - name: sonarqube-scan
+              if: matrix.python-version == inputs.target_python_version && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+              uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+              env:
+                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+            - name: upload-coverage-reports-to-codecov
+              if: matrix.python-version == inputs.target_python_version && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+              uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+              with:
+                  fail_ci_if_error: true
+                  token: ${{ secrets.CODECOV_TOKEN }}
+                  verbose: true