Chore: Update DevOps tooling from central repository [skip ci]

.devops-exclusions

@@ -1,3 +1,2 @@
 .github/workflows/linting.yaml
 .github/workflows/notebooks.yaml
-

.github/workflows/codeql.yml

@@ -1,16 +1,16 @@
----
-# SPDX-License-Identifier: Apache-2.0
-# Copyright 2024 The Linux Foundation <mwatkins@linuxfoundation.org>
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "🔐 CodeQL"
 
-name: "CodeQL"
-
-# yamllint disable rule:line-length
-# yamllint disable rule:brackets
-# yamllint disable rule:indentation
-# yamllint disable rule:comments
-# yamllint disable rule:comments-indentation
-
-# yamllint disable-line rule:truthy
 on:
   push:
     branches: [ "main", "gh-pages", "master" ]
@@ -46,14 +46,9 @@ jobs:
         include:
         - language: python
           build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+        # CodeQL supports the following values keywords for 'language':
+        #  'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -68,15 +63,10 @@ jobs:
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
 
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
     # If the analyze step fails for one of the languages you are analyzing with
     # "We were unable to automatically build your code", modify the matrix above
     # to set the build mode to "manual" for that language. Then modify this step
     # to build your code.
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
     - if: matrix.build-mode == 'manual'
       shell: bash
       run: |

.github/workflows/release.yaml

@@ -1,12 +1,11 @@
 ---
-name: "🐍📦 Production build and release"
+name: "🐍📦 Old Production build and release"
 
 # GitHub/PyPI trusted publisher documentation:
 # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
 
 # yamllint disable-line rule:truthy
 on:
-  # workflow_dispatch:
   push:
     # Only invoked on release tag pushes
     tags:
@@ -25,8 +24,9 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions:
-      # IMPORTANT: mandatory for Sigstore
+      contents: write
       id-token: write
+
     steps:
       ### BUILDING ###
 
@@ -41,14 +41,30 @@ jobs:
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4
 
+      - name: "Fetch current semantic tag"
+        id: fetch-tags
+        # yamllint disable-line rule:line-length
+        uses: os-climate/devops-reusable-workflows/.github/actions/latest-semantic-tag@main
+
+      - name: "Update version from tags for production release"
+        run: |
+          echo "Github tag/versioning: ${{ github.ref_name }}"
+          if (grep 'dynamic = \[\"version\"\]' pyproject.toml > /dev/null); then
+            echo "Proceeding build with dynamic versioning"
+          else
+            echo "Using legacy script to bump release version"
+            scripts/release-versioning.sh
+          fi
+
       - name: "Build with PDM backend"
         run: |
           pdm build
 
       ### SIGNING ###
 
       - name: "Sign packages with Sigstore"
-        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        # Use new action
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
         with:
           inputs: >-
             ./dist/*.tar.gz
@@ -64,8 +80,6 @@ jobs:
 
   github:
     name: "📦 Publish to GitHub"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - build
     runs-on: ubuntu-latest
@@ -86,20 +100,17 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           prerelease: false
           tag_name: ${{ github.ref_name }}
-          name: "Test/Development Build \
-            ${{ github.ref_name }}"
+          name: ${{ github.ref_name }}"
           # body_path: ${{ github.workspace }}/CHANGELOG.rst
           files: |
             dist/*.tar.gz
             dist/*.whl
-            dist/*.sigstore
+            dist/*.sigstore*
 
   ### PUBLISH PYPI TEST ###
 
   testpypi:
-    name: "📦 Publish to PyPi Test"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
+    name: "📦 Test publishing to PyPI"
     needs:
       - build
     runs-on: ubuntu-latest
@@ -120,9 +131,9 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
-      - name: Publish distribution to Test PyPI
+      - name: "Test publishing to PyPI"
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
@@ -132,8 +143,6 @@ jobs:
 
   pypi:
     name: "📦 Publish to PyPi"
-    # Only publish on tag pushes
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
       - testpypi
     runs-on: ubuntu-latest
@@ -154,7 +163,7 @@ jobs:
           if [ -f dist/buildvars.txt ]; then
             rm dist/buildvars.txt
           fi
-          rm dist/*.sigstore
+          rm dist/*.sigstore*
 
       - name: "Setup PDM for build commands"
         uses: pdm-project/setup-pdm@v4

.github/workflows/test-release.yaml

@@ -43,6 +43,16 @@ jobs:
           echo "vernum=${vernum}" >> "$GITHUB_OUTPUT"
           echo "vernum=${vernum}" >> buildvars.txt
 
+      - name: "Tag for test release"
+        # Delete all local tags, then create a synthetic tag for testing
+        # Use the date/time to avoid conflicts uploading to Test PyPI
+        run: |
+          scripts/dev-versioning.sh "${{ steps.setenv.outputs.vernum }}"
+          git tag | xargs -L 1 | xargs git tag --delete
+          git tag "v${{ steps.setenv.outputs.vernum }}"
+          git checkout "tags/v${{ steps.setenv.outputs.vernum }}"
+          grep version pyproject.toml
+
       - name: "Build with PDM backend"
         run: |
           pdm build
@@ -52,7 +62,7 @@ jobs:
       ### SIGNING ###
 
       - name: "Sign packages with Sigstore"
-        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        uses: sigstore/gh-action-sigstore-python@v2
 
         with:
           inputs: >-

.markdownlint.yaml

@@ -8,6 +8,3 @@ default: true
 extends: null
 
 MD013: false
-MD033: {
-    "allowed_elements": ["img"]
-}

.pre-commit-config.yaml

@@ -78,7 +78,7 @@ repos:
           ignore-from-file: [.gitignore],}"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.5.2
+    rev: v0.5.5
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix, --config=pyproject.toml]
@@ -94,7 +94,7 @@ repos:
           then /bin/mkdir .mypy_cache; fi; exit 0'
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: "v1.10.1"
+    rev: "v1.11.0"
     hooks:
       - id: mypy
         verbose: true