fix: update from template

Author: olivermeyer

.copier-answers.yml

@@ -1,4 +1,4 @@
-_commit: v1.2.0
+_commit: v1.7.1
 _src_path: git@github.com:aignostics/foundry-python.git
 author_email: oliver.meyer@aignostics.com
 author_github_username: olivermeyer
@@ -9,5 +9,6 @@ import_package_name: aignostics_foundry_core
 project_description: Foundational infrastructure for Foundry components.
 project_icon: 🏭
 project_name: Foundry Python Core
+project_type: library
 slack_notifications_enabled: true
 slack_release_channel: '#announce-foundry'

.github/actions/run-tests/action.yml

@@ -35,7 +35,7 @@ runs:
       shell: bash
       run: |
         set +e
-        mise run $MISE_TASK
+        mise run "${MISE_TASK}"
         EXIT_CODE=$?
         # Show test execution in GitHub Job summary
         found_files=0
@@ -47,7 +47,7 @@ runs:
         fi
         done
         if [ $found_files -eq 0 ]; then
-          echo "# $SUMMARY_TITLE" >> $GITHUB_STEP_SUMMARY
+          echo "# ${SUMMARY_TITLE}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
         fi
         # Show test coverage in GitHub Job summary

.github/actions/setup-dev-env/action.yml

@@ -4,9 +4,12 @@ description: 'Checkout, GCP auth, mise, uv, and dev tools'
 runs:
   using: 'composite'
   steps:
+
     - name: Install mise
       uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
 
     - name: Initialize mise and install Python dependencies
       shell: bash
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
       run: mise run install

.github/workflows/_audit.yml

@@ -22,6 +22,9 @@ jobs:
       - name: Audit
         run: mise run audit
 
+      - name: Generate attributions
+        run: mise run attributions
+
       - name: Upload audit results
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ always() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
@@ -34,4 +37,5 @@ jobs:
             reports/licenses.json
             reports/licenses_grouped.json
             reports/vulnerabilities.json
+            reports/ATTRIBUTIONS.md
           retention-days: 30

.github/workflows/_lint.yml

@@ -20,4 +20,4 @@ jobs:
         uses: ./.github/actions/setup-dev-env
 
       - name: Lint
-        run: mise run lint
+        run: mise run pre_commit_run_all

.github/workflows/_package-publish.yml

@@ -23,8 +23,6 @@ jobs:
       - name: Setup Dev Environment
         uses: ./.github/actions/setup-dev-env
 
-      - name: Build documentation
-        run: mise run docs
 
       - name: Build distribution
         run: uv build
@@ -45,10 +43,15 @@ jobs:
 
           # Export release notes for Slack notification
           # Convert markdown links [text](url) to Slack format <url|text>
-          # Truncate to 2900 chars for Slack's ~3000 char limit
+          # If notes exceed Slack's ~3000 char limit, truncate and add link to full release notes
           # Escape for JSON (backslashes, quotes, newlines)
-          NOTES=$(sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' RELEASE_NOTES.md | head -c 2900 | \
-            sed 's/\\/\\\\/g' | sed 's/"/\\"/g' | sed ':a;N;$!ba;s/\n/\\n/g')
+          NOTES_CONVERTED=$(sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' RELEASE_NOTES.md)
+          RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}"
+          if [ "$(printf '%s' "$NOTES_CONVERTED" | wc -c)" -gt 2700 ]; then
+            NOTES_TRUNCATED=$(printf '%s' "$NOTES_CONVERTED" | head -c 2700)
+            NOTES_CONVERTED="${NOTES_TRUNCATED}"$'\n'"...<${RELEASE_URL}|Read full release notes>"
+          fi
+          NOTES=$(printf '%s' "$NOTES_CONVERTED" | sed 's/\\/\\\\/g' | sed 's/"/\\"/g' | sed ':a;N;$!ba;s/\n/\\n/g')
           echo "RELEASE_NOTES_CONTENT=$NOTES" >> $GITHUB_ENV
 
 
@@ -69,8 +72,8 @@ jobs:
 
       - name: Send Slack release notification
         if: success()
-        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_RELEASE_BOT_TOKEN }}
-          payload: '{"channel":"#announce-foundry","text":"🚀 aignostics-foundry-core ${{ github.ref_name }} released","blocks":[{"type":"section","text":{"type":"mrkdwn","text":"🚀 *aignostics-foundry-core* <${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}|${{ github.ref_name }}> released"}},{"type":"section","text":{"type":"mrkdwn","text":"${{ env.RELEASE_NOTES_CONTENT }}"}}]}'
+          payload: '{"channel":"#announce-foundry","text":"🚀 Foundry Python Core ${{ github.ref_name }} released","blocks":[{"type":"section","text":{"type":"mrkdwn","text":"🚀 *Foundry Python Core* <${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}|${{ github.ref_name }}> released"}},{"type":"section","text":{"type":"mrkdwn","text":"${{ env.RELEASE_NOTES_CONTENT }}"}}]}'

.github/workflows/_scheduled-test-daily.yml

@@ -36,7 +36,7 @@ jobs:
         if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         shell: bash
         run: |
-          TOML_VERSION=$(grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          TOML_VERSION=$(uv run python -c "import tomli; print(tomli.load(open('pyproject.toml', 'rb'))['project']['version'])")
           echo "Development build - Current version in pyproject.toml: $TOML_VERSION"
 
       - name: Validate and set environment suffix
@@ -46,14 +46,14 @@ jobs:
         shell: bash
         run: |
           # Validate deploy_env is one of the allowed values
-          case "$DEPLOY_ENV" in
+          case "${DEPLOY_ENV}" in
             dev|test|staging|production)
               # Convert to uppercase
-              SUFFIX=$(echo "$DEPLOY_ENV" | tr '[:lower:]' '[:upper:]')
+              SUFFIX=$(echo "${DEPLOY_ENV}" | tr '[:lower:]' '[:upper:]')
               echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
               ;;
             *)
-              echo "Error: Invalid deploy_env value '$DEPLOY_ENV'. Must be one of: dev, test, staging, production"
+              echo "Error: Invalid deploy_env value '${DEPLOY_ENV}'. Must be one of: dev, test, staging, production"
               exit 1
               ;;
           esac
@@ -220,7 +220,7 @@ jobs:
 
       - name: SonarQube Scan
         if: ${{ !cancelled() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
-        uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8
+        uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/_scheduled-test-hourly.yml

@@ -39,14 +39,14 @@ jobs:
         shell: bash
         run: |
           # Validate deploy_env is one of the allowed values
-          case "$DEPLOY_ENV" in
+          case "${DEPLOY_ENV}" in
             dev|test|staging|production)
               # Convert to uppercase
-              SUFFIX=$(echo "$DEPLOY_ENV" | tr '[:lower:]' '[:upper:]')
+              SUFFIX=$(echo "${DEPLOY_ENV}" | tr '[:lower:]' '[:upper:]')
               echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
               ;;
             *)
-              echo "Error: Invalid deploy_env value '$DEPLOY_ENV'. Must be one of: dev, test, staging, production"
+              echo "Error: Invalid deploy_env value '${DEPLOY_ENV}'. Must be one of: dev, test, staging, production"
               exit 1
               ;;
           esac

.github/workflows/_test.yml

@@ -2,6 +2,17 @@ name: "> Test"
 
 on:
   workflow_call:
+    secrets:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
+        required: true
+      CODECOV_TOKEN:
+        required: true
+      SONAR_TOKEN:
+        required: true
+      AIGNOSTICS_FOUNDRY_CORE_LOGFIRE_TOKEN:
+        required: false
+      AIGNOSTICS_FOUNDRY_CORE_SENTRY_DSN:
+        required: false
 
 concurrency:
   group: test-${{ github.ref }}
@@ -15,6 +26,7 @@ jobs:
       contents: read
       id-token: write
       packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -40,13 +52,6 @@ jobs:
           TOML_VERSION=$(grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
           echo "Development build - Current version in pyproject.toml: $TOML_VERSION"
 
-      - name: Create .env file
-        uses: SpicyPizza/create-envfile@ace6d4f5d7802b600276c23ca417e669f1a06f6f # v2.0.3
-        with:
-          envkey_AIGNOSTICS_FOUNDRY_CORE_LOGFIRE_TOKEN: "${{ secrets.AIGNOSTICS_FOUNDRY_CORE_LOGFIRE_TOKEN }}"
-          envkey_AIGNOSTICS_FOUNDRY_CORE_SENTRY_DSN: "${{ secrets.AIGNOSTICS_FOUNDRY_CORE_SENTRY_DSN }}"
-          fail_on_empty: false
-
       - name: Test / Unit
         uses: ./.github/actions/run-tests
         with:
@@ -74,6 +79,15 @@ jobs:
           summary-title: All e2e tests passed
           commit-message: ${{ github.event.head_commit.message }}
 
+      - name: Test / Unit (lowest-direct)
+        uses: ./.github/actions/run-tests
+        with:
+          test-type: unit
+          mise-task: test_lowest_direct
+          skip-marker: skip:test:lowest-direct
+          summary-title: All unit tests passed with lowest-direct dependencies
+          commit-message: ${{ github.event.head_commit.message }}
+
       - name: Upload test results
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ always() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
@@ -102,7 +116,7 @@ jobs:
 
       - name: SonarQube Scan
         if: ${{ !cancelled() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
-        uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8
+        uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/bump.yml

@@ -8,18 +8,23 @@ on:
         required: false
         type: string
         default: ""
+  workflow_call:
+    secrets:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
+        required: true
 
 jobs:
   bump:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Generate GitHub App token
         id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          client-id: ${{ secrets.RELEASE_BOT_APP_ID }}
           private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
 
       - name: Checkout
@@ -28,11 +33,8 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           fetch-depth: 0
 
-      - name: Install mise
-        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
-
-      - name: Install Python, venv and dependencies
-        run: uv sync --all-extras --frozen --no-build --link-mode=copy
+      - name: Setup Dev Environment
+        uses: ./.github/actions/setup-dev-env
 
       - name: Configure git identity
         run: |