chore:

.github/renovate.json

@@ -0,0 +1,104 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "dependencyDashboard": true,
+    "extends": [
+        "config:best-practices",
+        "group:githubArtifactActions"
+    ],
+    "ignoreDeps": [
+        "tektronix/python-package-ci-cd"
+    ],
+    "packageRules": [
+        {
+            "addLabels": [
+                "docker",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "docker-deps/",
+            "commitMessageSuffix": " in all dependant actions",
+            "description": "Add docker and dependencies labels to Docker dependency updates",
+            "matchManagers": [
+                "dockerfile"
+            ],
+            "semanticCommitScope": "docker-deps"
+        },
+        {
+            "addLabels": [
+                "gh-actions",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "gh-actions-deps/",
+            "description": "Add gh-actions and dependencies labels to GitHub Action dependency updates",
+            "matchManagers": [
+                "github-actions"
+            ],
+            "semanticCommitScope": "gh-actions-deps"
+        },
+        {
+            "addLabels": [
+                "python",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "python-deps/",
+            "description": "Add python and dependencies labels to Python dependency updates",
+            "matchManagers": [
+                "poetry",
+                "pip_requirements"
+            ],
+            "semanticCommitScope": "python-deps"
+        },
+        {
+            "commitMessageSuffix": " in all dependant reusable workflows",
+            "description": "Add commit suffix for reusable workflows",
+            "matchFileNames": [
+                "/_reusable-.*\\.ya?ml/"
+            ],
+            "matchManagers": [
+                "github-actions"
+            ]
+        },
+        {
+            "commitMessageSuffix": "{{#unless isGroup}} in dev workflows{{/unless}}",
+            "description": "Group together all dev workflow dependency updates",
+            "groupName": "dev workflow dependencies",
+            "matchFileNames": [
+                "!/_reusable-.*\\.ya?ml/"
+            ],
+            "matchManagers": [
+                "github-actions"
+            ]
+        },
+        {
+            "automerge": true,
+            "description": "Automatically merge all patch updates",
+            "matchUpdateTypes": [
+                "patch"
+            ]
+        },
+        {
+            "automerge": false,
+            "description": "Group together all python-semantic-release dependencies",
+            "groupName": "python-semantic-release dependencies",
+            "matchPackageNames": [
+                "/^python-semantic-release/"
+            ]
+        },
+        {
+            "commitMessageSuffix": "{{#if (equals parentDir '')}} for {{#each depTypes}}{{replace '-' '/' this}}{{#unless @last}} and {{/unless}}{{/each}}{{else}} in all dependant actions {{/if}}",
+            "description": "Add commit suffix for the dependency group (or parent directory)",
+            "matchFileNames": [
+                "pyproject.toml",
+                "**/requirements.txt"
+            ],
+            "matchManagers": [
+                "poetry",
+                "pip_requirements"
+            ],
+            "matchPackageNames": [
+                "*"
+            ]
+        }
+    ],
+    "platformCommit": "enabled",
+    "prHourlyLimit": 5
+}

.github/workflows/_reusable-sbom-scan.yml

@@ -11,7 +11,7 @@ jobs:
   create-and-scan-sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
       - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version-file: pyproject.toml
@@ -25,7 +25,7 @@ jobs:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
       - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1  # v1.4.2
-        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
+        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && !contains(fromJSON('["dependabot[bot]", "renovate[bot]"]'), github.actor) }}
         with:
           subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
       - name: Scan SBOM
@@ -35,14 +35,23 @@ jobs:
           sbom: ${{ github.event.repository.name }}-sbom.spdx.json
           fail-build: true
           severity-cutoff: low
+      - name: Scan SBOM (print results to console)
+        if: ${{ always() && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
+        uses: anchore/scan-action@bc9adf64917dd9444d6cf4dd68620c34ca3a5f69  # v4.1.1
+        with:
+          output-format: table
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: false
+          severity-cutoff: low
       - name: Upload SBOM scan SARIF report as a workflow artifact
+        if: ${{ always() && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         with:
           name: sarif_artifact
           path: ${{ steps.scan.outputs.sarif }}
           if-no-files-found: error
       - name: Upload SBOM scan SARIF report to GitHub UI Security tab
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ always() && github.event_name != 'pull_request' && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
         uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93  # v3.26.6
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/_reusable-test-code.yml

@@ -86,6 +86,7 @@ jobs:
       - name: Install tox
         run: python -m pip install tox
       - name: Run tox
+        id: run-tox
         run: tox -ve tests
       - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         if: ${{ !cancelled() }}
@@ -97,7 +98,7 @@ jobs:
             .coverage*
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673  # v4.5.0
-        if: ${{ inputs.upload-to-codecov && github.repository == env.REPO_NAME && !cancelled() }}
+        if: ${{ always() && inputs.upload-to-codecov && github.repository == env.REPO_NAME && contains(fromJSON('["success", "failure"]'), steps.run-tox.outcome) }}
         with:
           token: ${{ secrets.codecov-token }}
           files: ./.coverage_tests.xml

.github/workflows/dependency-review.yml

@@ -11,7 +11,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
       - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c  # v4.3.4
         with:
           fail-on-severity: low

.github/workflows/test-actions.yml

@@ -127,7 +127,7 @@ jobs:
           dependency-dict: '{"dev": ["pyright"]}'
           pre-commit-hook-skip-list: remove-tabs,forbid-tabs,check-readthedocs,check-dependabot,check-github-actions,check-github-workflows,commitizen,blacken-docs,yamlfix,hadolint,mdformat,markdown-link-check,check-poetry,toml-sort-fix,pyright,poetry-audit,ruff,ruff-format,docformatter,renovate-config-validator
           export-dependency-groups: |
-            update_development_dependencies:actions/update_development_dependencies,
+            actions-update_development_dependencies:actions/update_development_dependencies,
             tests
   test-fetch_pr_number:
     runs-on: ubuntu-latest
@@ -189,6 +189,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        uses: re-actors/alls-green@13b4244b312e8a314951e03958a2f91519a6a3c9  # v1.2.1
         with:
           jobs: ${{ toJSON(needs) }}

pyproject.toml

@@ -32,23 +32,33 @@ version = "1.2.0"
 [tool.poetry.dependencies]
 python = "~3.12"  # This needs to stay in sync with all CI workflows
 
-[tool.poetry.group.create_unique_testpypi_version.dependencies]
+[tool.poetry.group.actions-create_unique_testpypi_version.dependencies]
 poetry-core = "1.9.0"
 pypi-simple = "1.5.0"
 tomli = "2.0.1"
 tomli-w = "1.0.0"
 
+[tool.poetry.group.actions-find_unreleased_changelog_items.dependencies]
+
+[tool.poetry.group.actions-update_development_dependencies.dependencies]
+poetry-plugin-export = "1.7.1"
+pre-commit = "3.8.0"
+pypi-simple = "1.5.0"
+toml-sort = "0.23.1"
+yamlfix = "1.17.0"
+
 [tool.poetry.group.dev.dependencies]
 pip = "^24.0"
 poetry-audit-plugin = "^0.4.0"
+poetry-plugin-export = "1.7.1"
 poetry-pre-commit-plugin = "^0.1.2"
-pre-commit = "^3.8.0"
+pre-commit = "3.8.0"
 pyright = "1.1.378"
 tox = "^4.18.0"
 tox-gh-actions = "^3.2.0"
 
 [tool.poetry.group.docs.dependencies]
-codespell = "^2.2.6"
+codespell = "^1.17.1"
 mkdocs = "^1.6.0"
 mkdocs-ezglossary-plugin = "^1.6.10"
 mkdocs-macros-plugin = "^1.0.5"
@@ -58,9 +68,7 @@ mkdocs-spellcheck = "^1.1.0"
 pygments = "^2.17.2"
 pymdown-extensions = "^10.8.1"
 symspellpy = "^6.7.7"
-tomli = "^2.0.0"
-
-[tool.poetry.group.find_unreleased_changelog_items.dependencies]
+tomli = "2.0.1"
 
 [tool.poetry.group.tests.dependencies]
 coverage = "^7.5.0"
@@ -73,13 +81,6 @@ pytest-github-report = "^0.0.1"
 pytest-html = "^4.1.1"
 pytest-order = "^1.2.1"
 
-[tool.poetry.group.update_development_dependencies.dependencies]
-poetry-plugin-export = "1.7.1"
-pre-commit = "3.8.0"
-pypi-simple = "1.5.0"
-toml-sort = "0.23.1"
-yamlfix = "1.17.0"
-
 [tool.pyright]
 ignore = [
   "temp_*.py"
@@ -217,9 +218,8 @@ setenv =
     GITHUB_STEP_SUMMARY = {tox_root}/.results_{envname}/github_report.md
 
 [testenv:docs]
-deps =
-    -r doc_config/requirements.txt
 commands_pre =
+    poetry install --only docs
 commands =
     python -c "import shutil; shutil.rmtree('.results_{envname}', ignore_errors=True)"
     mkdocs --verbose build --site-dir .results_{envname}
@@ -228,3 +228,6 @@ commands =
 commands =
     pytest -v -k "test_docs" --showlocals --junitxml={tox_root}/.results_{envname}/results.xml --self-contained-html --html={tox_root}/.results_{envname}/results.html
 """
+
+[tool.yamlfix]
+comments_min_spaces_from_content = 1