Update development toolchain

.github/renovate.json

@@ -1,6 +1,5 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "schedule": ["before 2am"],
   "rebaseWhen": "behind-base-branch",
   "dependencyDashboard": true,
   "labels": ["dependencies", "no-stale"],

.github/workflows/linting.yaml

@@ -54,31 +54,10 @@ jobs:
           poetry config virtualenvs.in-project true
       - name: 🏗 Install Python dependencies
         run: poetry install --no-interaction
-      - name: 🚀 Run Ruff
-        run: poetry run ruff .
-
-  black:
-    name: black
-    runs-on: ubuntu-latest
-    steps:
-      - name: ⤵️ Check out code from GitHub
-        uses: actions/checkout@v4.1.1
-      - name: 🏗 Set up Poetry
-        run: pipx install poetry
-      - name: 🏗 Set up Python ${{ env.DEFAULT_PYTHON }}
-        id: python
-        uses: actions/setup-python@v4.7.1
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache: "poetry"
-      - name: 🏗 Install workflow dependencies
-        run: |
-          poetry config virtualenvs.create true
-          poetry config virtualenvs.in-project true
-      - name: 🏗 Install Python dependencies
-        run: poetry install --no-interaction
-      - name: 🚀 Run black on docs
-        run: poetry run blacken-docs
+      - name: 🚀 Run ruff linter
+        run: poetry run ruff check --output-format=github .
+      - name: 🚀 Run ruff formatter
+        run: poetry run ruff format --check .
 
   pre-commit-hooks:
     name: pre-commit-hooks
@@ -116,10 +95,6 @@ jobs:
         run: poetry run pre-commit run check-symlinks --all-files
       - name: 🚀 Check TOML files
         run: poetry run pre-commit run check-toml --all-files
-      - name: 🚀 Check XML files
-        run: poetry run pre-commit run check-xml --all-files
-      - name: 🚀 Check YAML files
-        run: poetry run pre-commit run check-yaml --all-files
       - name: 🚀 Check YAML files
         run: poetry run pre-commit run check-yaml --all-files
       - name: 🚀 Detect Private Keys
@@ -196,7 +171,7 @@ jobs:
       - name: 🏗 Install Python dependencies
         run: poetry install --no-interaction
       - name: 🏗 Set up Node.js
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        uses: actions/setup-node@v4.0.0
         with:
           node-version-file: ".nvmrc"
           cache: "npm"

.github/workflows/pr-labels.yaml

@@ -3,8 +3,13 @@ name: PR Labels
 
 # yamllint disable-line rule:truthy
 on:
-  pull_request:
-    types: [opened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types:
+      - opened
+      - labeled
+      - unlabeled
+      - synchronize
+  workflow_call:
 
 jobs:
   pr_labels:
@@ -14,6 +19,7 @@ jobs:
       - name: 🏷 Verify PR has a valid label
         uses: jesusvasquez333/verify-pr-label-action@v1.4.0
         with:
+          pull-request-number: "${{ github.event.pull_request.number }}"
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           valid-labels: >-
             breaking-change, bugfix, documentation, enhancement,

.github/workflows/release.yaml

@@ -14,6 +14,12 @@ jobs:
   release:
     name: Releasing to PyPi
     runs-on: ubuntu-latest
+    environment:
+      name: release
+      url: https://pypi.org/p/twentemilieu
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v4.1.1
@@ -40,8 +46,12 @@ jobs:
       - name: 🏗 Build package
         run: poetry build --no-interaction
       - name: 🚀 Publish to PyPi
-        env:
-          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-        run: |
-          poetry config pypi-token.pypi "${PYPI_TOKEN}"
-          poetry publish --no-interaction
+        uses: pypa/gh-action-pypi-publish@v1.8.10
+        with:
+          verbose: true
+          print-hash: true
+      - name: ✍️ Sign published artifacts
+        uses: sigstore/gh-action-sigstore-python@v2.1.0
+        with:
+          inputs: ./dist/*.tar.gz ./dist/*.whl
+          release-signing-artifacts: true

.github/workflows/tests.yaml

@@ -37,7 +37,7 @@ jobs:
       - name: 🚀 Run pytest
         run: poetry run pytest --cov twentemilieu tests
       - name: ⬆️ Upload coverage artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        uses: actions/upload-artifact@v3.1.3
         with:
           name: coverage-${{ matrix.python }}
           path: .coverage
@@ -73,8 +73,8 @@ jobs:
       - name: 🚀 Upload coverage report
         uses: codecov/codecov-action@v3.1.4
       - name: SonarCloud Scan
-        if: github.repository_owner == 'frenck'
-        uses: SonarSource/sonarcloud-github-action@v1.9
+        if: github.event.pull_request.head.repo.fork == false
+        uses: SonarSource/sonarcloud-github-action@v2.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.pre-commit-config.yaml

@@ -2,25 +2,20 @@
 repos:
   - repo: local
     hooks:
-      - id: ruff
-        name: 🐶 Ruff
+      - id: ruff-check
+        name: 🐶 Ruff Linter
         language: system
         types: [python]
-        entry: poetry run ruff --fix
+        entry: poetry run ruff check --fix
         require_serial: true
         stages: [commit, push, manual]
-      - id: black
-        name: ☕️ Format using black
+      - id: ruff-format
+        name: 🐶 Ruff Formatter
         language: system
         types: [python]
-        entry: poetry run black
-        require_serial: true
-      - id: blacken-docs
-        name: ☕️ Format documentation examples using black
-        language: system
-        files: '\.(rst|md|markdown|py|tex)$'
-        entry: poetry run blacken-docs
+        entry: poetry run ruff format
         require_serial: true
+        stages: [commit, push, manual]
       - id: check-ast
         name: 🐍 Check Python AST
         language: system