Update external workflows

Author: kdeldycke

.github/actions/publish-pypi/action.yaml

@@ -0,0 +1,51 @@
+---
+name: Publish to PyPI via Trusted Publishing
+description: >
+  Download the build artifact (which carries its own PEP 740 attestation
+  sidecars, generated at build time) and upload everything to PyPI using
+  OIDC-based Trusted Publishing (no long-lived API token).
+
+# This composite action is a workaround for pypi/warehouse#11096: PyPI's
+# Trusted Publisher config matches the OIDC `job_workflow_ref` claim against
+# the *caller's* workflow file, but reusable workflows mint a token whose
+# `job_workflow_ref` names the reusable workflow. Composite actions inherit
+# the calling job's OIDC context, so invoking this action from a downstream
+# caller's `release.yaml` keeps `job_workflow_ref` pointing at that file —
+# which is what the downstream's PyPI Trusted Publisher must register.
+
+inputs:
+  artifact-name:
+    description: Name of the dist artifact uploaded by the upstream build job.
+    required: true
+  repository-url:
+    description: >
+      Optional override for the PyPI repository URL (e.g., TestPyPI). Leave
+      empty to publish to the canonical PyPI index.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0
+      with:
+        enable-cache: false
+
+    - name: Download build artifact
+      id: download
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: ${{ inputs.artifact-name }}
+        path: dist/
+
+    - name: Push to PyPI
+      env:
+        DOWNLOAD_PATH: ${{ steps.download.outputs.download-path }}
+        REPOSITORY_URL: ${{ inputs.repository-url }}
+      shell: bash
+      run: |
+        args=(--no-progress publish --trusted-publishing automatic)
+        if [[ -n "${REPOSITORY_URL}" ]]; then
+          args+=(--publish-url "${REPOSITORY_URL}")
+        fi
+        uv "${args[@]}" "${DOWNLOAD_PATH}"/*

.github/workflows/autofix.yaml

@@ -9,7 +9,7 @@ name: 🪄 Autofix
 jobs:
 
   autofix:
-    uses: kdeldycke/repomatic/.github/workflows/autofix.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/autofix.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
     secrets:
       REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}
       VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}

.github/workflows/autolock.yaml

@@ -8,4 +8,4 @@ name: 🔒 Autolock
 jobs:
 
   autolock:
-    uses: kdeldycke/repomatic/.github/workflows/autolock.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/autolock.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0

.github/workflows/cancel-runs.yaml

@@ -4,9 +4,8 @@ name: ✂️ Cancel runs
   pull_request:
     types:
       - closed
-  workflow_dispatch:
 
 jobs:
 
   cancel-runs:
-    uses: kdeldycke/repomatic/.github/workflows/cancel-runs.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/cancel-runs.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0

.github/workflows/changelog.yaml

@@ -23,6 +23,6 @@ name: 🆙 Changelog & versions
 jobs:
 
   changelog:
-    uses: kdeldycke/repomatic/.github/workflows/changelog.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/changelog.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
     secrets:
       REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}

.github/workflows/docs.yaml

@@ -5,8 +5,17 @@ name: 📚 Docs
   push:
     branches:
       - main
+    paths:
+      - .github/workflows/docs.yaml
+      - changelog.md
+      - citation.cff
+      - "docs/**"
+      - pyproject.toml
+      - readme.md
+      - uv.lock
+      - "**/*.py"
 
 jobs:
 
   docs:
-    uses: kdeldycke/repomatic/.github/workflows/docs.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/docs.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0

.github/workflows/labels.yaml

@@ -7,8 +7,9 @@ name: 🏷️ Labels
       - main
   pull_request:
     branches-ignore:
+      - major-version-increment
+      - minor-version-increment
       - prepare-release
-      - "renovate/**"
     types:
       - opened
   issues:
@@ -18,4 +19,4 @@ name: 🏷️ Labels
 jobs:
 
   labels:
-    uses: kdeldycke/repomatic/.github/workflows/labels.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/labels.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0

.github/workflows/lint.yaml

@@ -5,15 +5,23 @@ name: 🧹 Lint
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/*.gif"
+      - "**/*.jpeg"
+      - "**/*.jpg"
+      - "**/*.png"
+      - "**/*.svg"
+      - "**/*.webp"
   pull_request:
     branches-ignore:
+      - major-version-increment
+      - minor-version-increment
       - prepare-release
-      - "renovate/**"
 
 jobs:
 
   lint:
-    uses: kdeldycke/repomatic/.github/workflows/lint.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/lint.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
     secrets:
       REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}
       VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}

.github/workflows/release.yaml

@@ -1,16 +1,29 @@
 ---
 name: 🚀 Build & release
 "on":
+  workflow_dispatch:
   push:
     branches:
       - main
-  workflow_dispatch:
 
 jobs:
 
   release:
-    uses: kdeldycke/repomatic/.github/workflows/release.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/release.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
     secrets:
-      PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
       REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}
       VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}
+
+  publish-pypi:
+    name: 🐍 Publish to PyPI (${{ matrix.short_sha }})
+    needs: release
+    if: needs.release.outputs.release_commits_matrix
+    strategy:
+      matrix: ${{ fromJSON(needs.release.outputs.release_commits_matrix) }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: kdeldycke/repomatic/.github/actions/publish-pypi@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
+        with:
+          artifact-name: ${{ github.event.repository.name }}-${{ matrix.short_sha }}

.github/workflows/renovate.yaml

@@ -1,9 +1,9 @@
 ---
 name: 🆕 Renovate
 "on":
+  workflow_dispatch:
   schedule:
     - cron: "3 17 * * 1"
-  workflow_dispatch:
   push:
     branches:
       - main
@@ -14,6 +14,6 @@ name: 🆕 Renovate
 jobs:
 
   renovate:
-    uses: kdeldycke/repomatic/.github/workflows/renovate.yaml@f600fefb41f28a11f550f43d8145b96438e46b84 # v6.14.0
+    uses: kdeldycke/repomatic/.github/workflows/renovate.yaml@f185b237deb05defc94f8dff02a82a2d9bd579d8 # v6.20.0
     secrets:
       REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}