Modernize

.github/dependabot.yaml

@@ -1,33 +1,34 @@
 version: 2
 updates:
-  - package-ecosystem: "devcontainers"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
       ci-dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
-  - package-ecosystem: "uv"
-    directory: "/"
+  - package-ecosystem: uv
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
       python-dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
-  - package-ecosystem: "docker"
-    directory: "/"
+  - package-ecosystem: pre-commit
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
-      docker-dependencies:
+      pre-commit-dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7

.github/workflows/container-build-deploy.yaml

@@ -1,28 +1,77 @@
-name: Container Build and Deploy
+name: Image build and deploy
 
 on:
   push:
     branches:
       - main
     tags:
-      - v*
+      - "*"
   pull_request:
 
 permissions:
   contents: read
-  packages: write
-  # Used by actions/attest-build-provenance
-  id-token: write
-  attestations: write
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   build-push:
-    uses: darbiadev/.github/.github/workflows/container-build-push.yaml@440166417b42442c6114aaa895094f0db7de9b78 # v15.2.0
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    outputs:
+      image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
+    steps:
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ github.sha }}
+            type=ref,event=tag
+            type=edge
+        env:
+          # ghcr.io prefers index level annotations
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          file: Dockerfile
+          push: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/') }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          build-args: |
+            git_sha=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
 
   deploy:
     needs: build-push
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' }}
     steps:
-      - name: "Update deployment"
+      - name: Update deployment
         run: curl -X POST '${{ secrets.DEPLOY_WEBHOOK }}'

.github/workflows/dependency-review.yaml

@@ -1,20 +1,25 @@
-name: "Dependency Review"
+name: Dependency Review
 
 on:
+  push:
+    branches:
+      - main
   pull_request:
 
 permissions:
   contents: read
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     steps:
-      - name: "Checkout Repository"
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-      - name: "Dependency Review"
+      - name: Dependency Review
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           config-file: darbiadev/.github/.github/dependency-review-config.yaml@main

.github/workflows/docs.yaml

@@ -0,0 +1,61 @@
+name: Docs
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-slim
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        with:
+          enable-cache: true
+
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Sync dependencies
+        run: uv sync --group docs
+
+      - name: Build docs
+        run: uv run sphinx-build --builder dirhtml --nitpicky docs site
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+        with:
+          path: ./site
+
+  deploy:
+    if: ${{ github.ref == 'refs/heads/main' }}
+
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    runs-on: ubuntu-slim
+
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/python-ci.yaml

@@ -6,30 +6,34 @@ on:
       - main
   pull_request:
 
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
+permissions:
+  contents: read
 
+jobs:
+  lint:
+    runs-on: ubuntu-slim
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        with:
+          enable-cache: true
+          resolution-strategy: "lowest"
 
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: 3.12
-          allow-prereleases: true
-          cache: pip
-          cache-dependency-path: uv.lock
-
-      - name: Set up uv
-        run: curl -LsSf https://astral.sh/uv/install.sh | sh
+          python-version-file: "pyproject.toml"
 
       - name: Sync dependencies
         run: uv sync --group dev --group tests
 
-      - name: Run pre-commit
-        run: uv run pre-commit run --all-files
+      - name: Run prek
+        run: uv run prek run --all-files
 
       - name: Check formatting
         run: uv run ruff format --check .
@@ -38,21 +42,81 @@ jobs:
         run: uv run ruff check --output-format=github .
 
       - name: Run mypy
-        run: uv run mypy --strict src/
+        run: uv run mypy --strict src/ tests/
 
-      - name: Run tests
-        run: uv run python -m coverage run -m pytest -v
+      - name: Run ty
+        run: uv run ty check .
 
-      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+  test:
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-  docs:
-    # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        with:
+          enable-cache: true
+          resolution-strategy: "lowest"
+
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: 3.14
+
+      - name: Sync dependencies
+        run: uv sync --group dev --group tests
+
+      - name: Run tests with coverage
+        run: uv run python -m coverage run -m pytest -v --junitxml=junit.xml
+
+      - name: Create coverage report
+        run: uv run coverage xml -o coverage.xml
+
+      - name: Upload coverage reports
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: coverage-reports
+          path: |
+            coverage.xml
+            junit.xml
+          if-no-files-found: error
+
+  codecov:
+    runs-on: ubuntu-slim
+    needs: [test]
+    if: ${{ always() }}
     permissions:
       contents: read
-      pages: write
       id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download coverage reports
+        if: ${{ !cancelled() }}
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: coverage-reports
+          path: coverage
+
+      - name: Upload coverage to Codecov
+        if: ${{ !cancelled() }}
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        with:
+          report_type: coverage
+          use_oidc: true
+          files: coverage/coverage.xml
 
-    uses: darbiadev/.github/.github/workflows/github-pages-python-sphinx.yaml@440166417b42442c6114aaa895094f0db7de9b78 # v15.2.0
+      - name: Upload test results to Codecov
+        if: ${{ !cancelled() }}
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        with:
+          report_type: test_results
+          use_oidc: true
+          files: coverage/junit.xml

.github/workflows/sentry-release.yaml

@@ -1,19 +1,24 @@
-name: "Sentry release"
+name: Sentry release
 
 on:
   push:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   sentry-release:
     runs-on: ubuntu-latest
 
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-      - name: "Create Sentry release"
+      - name: Create Sentry release
         uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3.6.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}