Update GHA pipelines (#213)

.github/release-drafter.yml

@@ -1,3 +1,3 @@
 ---
-# see https://github.com/ansible/devtools
-_extends: ansible/devtools
+# see https://github.com/ansible/team-devtools
+_extends: ansible/team-devtools

.github/workflows/ack.yml

@@ -1,10 +1,11 @@
 ---
-# See https://github.com/ansible/devtools/blob/main/.github/workflows/ack.yml
+# See https://github.com/ansible/team-devtools/blob/main/.github/workflows/ack.yml
 name: ack
 on:
   pull_request_target:
     types: [opened, labeled, unlabeled, synchronize]
 
 jobs:
   ack:
-    uses: ansible/devtools/.github/workflows/ack.yml@main
+    uses: ansible/team-devtools/.github/workflows/ack.yml@main
+    secrets: inherit

.github/workflows/push.yml

@@ -1,5 +1,5 @@
 ---
-# See https://github.com/ansible/devtools/blob/main/.github/workflows/push.yml
+# See https://github.com/ansible/team-devtools/blob/main/.github/workflows/push.yml
 name: push
 on:
   push:
@@ -10,4 +10,4 @@ on:
 
 jobs:
   ack:
-    uses: ansible/devtools/.github/workflows/push.yml@main
+    uses: ansible/team-devtools/.github/workflows/push.yml@main

.github/workflows/release.yml

@@ -10,17 +10,19 @@ jobs:
     name: Publish to PyPI registry
     environment: release
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
 
     env:
       FORCE_COLOR: 1
       PY_COLORS: 1
       TOXENV: pkg
 
     steps:
-      - name: Switch to using Python 3.9 by default
+      - name: Switch to using Python 3.10 by default
         uses: actions/setup-python@v5
         with:
-          python-version: 3.9
+          python-version: "3.10"
 
       - name: Install tox
         run: python3 -m pip install --user "tox>=4.0.0"
@@ -32,11 +34,9 @@ jobs:
           submodules: true
 
       - name: Build dists
-        run: python -m tox
+        run: python3 -m tox
 
       - name: Publish to pypi.org
         if: >- # "create" workflows run separately from "push" & "pull_request"
           github.event_name == 'release'
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.pypi_password }}

.github/workflows/tox.yml

@@ -2,18 +2,12 @@
 name: tox
 
 on:
-  create: # is used for publishing to PyPI and TestPyPI
-    tags: # any tag regardless of its name, no branches
-      - "**"
   push: # only publishes pushes to the main branch to TestPyPI
     branches: # any integration branch but not tag
       - "main"
   pull_request:
     branches:
       - "main"
-  release:
-    types:
-      - published # It seems that you can publish directly without creating
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
@@ -24,8 +18,8 @@ env:
   PY_COLORS: 1
 
 jobs:
-  pre:
-    name: pre
+  prepare:
+    name: prepare
     runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.generate_matrix.outputs.matrix }}
@@ -46,15 +40,18 @@ jobs:
   build:
     name: ${{ matrix.name }}
     runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
-    environment: test
-    needs: pre
+    needs:
+      - prepare
     defaults:
       run:
         shell: ${{ matrix.shell || 'bash'}}
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.pre.outputs.matrix) }}
-
+      matrix: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    env:
+      # Number of expected test passes, safety measure for accidental skip of
+      # tests. Update value if you add/remove tests.
+      PYTEST_REQPASS: 7
     steps:
       - uses: actions/checkout@v4
         with:
@@ -90,27 +87,14 @@ jobs:
       - name: tox -e ${{ matrix.passed_name }}
         run: python3 -m tox -e ${{ matrix.passed_name }}
 
-      - name: Combine coverage data
-        if: ${{ startsWith(matrix.passed_name, 'py') }}
-        # produce a single .coverage file at repo root
-        run: tox -e coverage
-
-      - name: Upload coverage data
-        if: ${{ startsWith(matrix.passed_name, 'py') }}
-        uses: codecov/codecov-action@v4
-        with:
-          name: ${{ matrix.passed_name }}
-          fail_ci_if_error: true # see https://github.com/codecov/codecov-action/issues/598
-          token: ${{ secrets.CODECOV_TOKEN }}
-          verbose: true # optional (default = false)
-
       - name: Archive logs
         uses: actions/upload-artifact@v4
         with:
           name: logs-${{ matrix.name }}.zip
-          path: .tox/**/log/
-        # https://github.com/actions/upload-artifact/issues/123
-        continue-on-error: true
+          path: |
+            .tox/**/log/
+            .tox/**/.coverage*
+            .tox/**/coverage.xml
 
       - name: Report failure if git reports dirty status
         run: |
@@ -125,6 +109,8 @@ jobs:
   check: # This job does nothing and is only used for the branch protection
     if: always()
     permissions:
+      checks: read # codecov-action
+      id-token: write # codecov-action
       pull-requests: write # allow codenotify to comment on pull-request
 
     needs:
@@ -133,17 +119,56 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      # checkout needed for codecov action which needs codecov.yml file
+      - uses: actions/checkout@v4
+
+      - name: Set up Python # likely needed for coverage
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - run: pip3 install 'coverage>=7.5.1'
+
+      - name: Merge logs into a single archive
+        uses: actions/upload-artifact/merge@v4
+        with:
+          name: logs.zip
+          pattern: logs-*.zip
+          # artifacts like py312.zip and py312-macos do have overlapping files
+          separate-directories: true
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: logs.zip
+          path: .
+
+      - name: Check for expected number of coverage.xml reports
+        run: |
+          JOBS_PRODUCING_COVERAGE=4
+          if [ "$(find . -name coverage.xml | wc -l | bc)" -ne "${JOBS_PRODUCING_COVERAGE}" ]; then
+            echo "::error::Number of coverage.xml files was not the expected one (${JOBS_PRODUCING_COVERAGE}): $(find . -name coverage.xml |xargs echo)"
+            exit 1
+          fi
+
+      - name: Upload coverage data
+        uses: codecov/codecov-action@v4
+        with:
+          name: ${{ matrix.passed_name }}
+          # verbose: true # optional (default = false)
+          fail_ci_if_error: true
+          use_oidc: true # cspell:ignore oidc
+
+      - name: Check codecov.io status
+        if: github.event_name == 'pull_request'
+        uses: coactions/codecov-status@main
+
       - name: Decide whether the needed jobs succeeded or failed
         uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
 
-      - name: Check out src from Git
-        uses: actions/checkout@v4
-
-      - name: Notify repository owners about lint change affecting them
-        uses: sourcegraph/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # https://github.com/sourcegraph/codenotify/issues/19
-        continue-on-error: true
+      - name: Delete Merged Artifacts
+        uses: actions/upload-artifact/merge@v4
+        with:
+          delete-merged: true

.pre-commit-config.yaml

@@ -3,7 +3,7 @@ ci:
   skip: [markdownlint_docker]
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: "v0.2.2"
+    rev: "v0.4.9"
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
@@ -22,12 +22,12 @@ repos:
     hooks:
       - id: markdownlint_docker
   - repo: https://github.com/psf/black
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
         args: [--safe]
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: end-of-file-fixer
       - id: trailing-whitespace
@@ -45,7 +45,7 @@ repos:
         types: [file, yaml]
         entry: yamllint --strict
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
         # mypy args needed in order to match mypy cli behavior
@@ -61,7 +61,7 @@ repos:
           - subprocess-tee
           - typer>=0.7.0
   - repo: https://github.com/pycqa/pylint
-    rev: v3.0.3
+    rev: v3.2.3
     hooks:
       - id: pylint
         additional_dependencies:

docs/README.md

@@ -1,7 +1,7 @@
 # Documentation of mk tool
 
-`mk` is a CLI tool that aims to ease contribution to any open-source project by
-hiding repository implementation details from the casual contributor. With it,
+`mk` is a CLI tool that aims to ease contribution and maintenance for projects
+by hiding repository implementation details from the casual contributor. With it,
 you can contribute without having to know all the build and testing tools that
 the project team already uses, which often have strange requirements.
 

playbooks/test-integration.yml

@@ -14,11 +14,11 @@
       - name: ansible-lint
         url: https://github.com/ansible/ansible-lint
       - name: cookiecutter
-        url: https://github.com/cookiecutter/cookiecutter.git
+        url: https://github.com/cookiecutter/cookiecutter
       - name: typeshed
-        url: https://github.com/python/typeshed.git
+        url: https://github.com/python/typeshed
       - name: flask-babel
-        url: https://github.com/python-babel/flask-babel.git
+        url: https://github.com/python-babel/flask-babel
       - name: nox
         url: https://github.com/wntrblm/nox
   tasks:
@@ -28,6 +28,7 @@
 
     - name: Clone repo # noqa: git-latest
       ansible.builtin.git:
+        accept_newhostkey: true
         repo: "{{ item.url }}"
         dest: "{{ (cache_dir, item.name) | path_join }}"
         update: true