Use dependency groups to manage CI test matrix versions

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default: everything
+* @bckohan

.github/dependabot.yml

@@ -9,13 +9,9 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-    commit-message:
-      prefix: ⬆
-  # Python
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: ⬆
+      interval: "monthly"
+
+    groups:
+      gha-updates:
+        patterns:
+          - "*"

.github/workflows/lint.yml

@@ -24,71 +24,61 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         # run static analysis on bleeding and trailing edges
         python-version: ['3.10', '3.12', '3.14']
         django-version:
-          - '4.2' # LTS April 2026
-          - '5.2' # LTS April 2028
-          - '6.0' # April 2027
+          - 'dj42' # LTS April 2026
+          - 'dj52' # LTS April 2028
+          - 'dj60' # April 2027
         exclude:
           - python-version: '3.12'
-            django-version: '4.2'
+            django-version: 'dj42'
           - python-version: '3.14'
-            django-version: '4.2'
+            django-version: 'dj42'
 
           - python-version: '3.10'
-            django-version: '5.2'
+            django-version: 'dj52'
           - python-version: '3.14'
-            django-version: '5.2'
+            django-version: 'dj52'
 
           - python-version: '3.10'
-            django-version: '6.0'
+            django-version: 'dj60'
           - python-version: '3.12'
-            django-version: '6.0'
+            django-version: 'dj60'
 
     env:
       TEST_PYTHON_VERSION: ${{ matrix.python-version }}
       TEST_DJANGO_VERSION: ${{ matrix.django-version }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         id: sp
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
 
       - name: Install Just
-        uses: extractions/setup-just@v3
+        uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
         with:
-          enable-cache: true
-      - name: Install Dependencies
-        run: |
-          just setup ${{ steps.sp.outputs.python-path }} install-docs
-          if [[ "${{ matrix.django-version }}" =~ (a|b|rc) ]]; then
-            just test-lock Django==${{ matrix.django-version }}
-          else
-            just test-lock Django~=${{ matrix.django-version }}.0
-          fi
+          enable-cache: false
       - name: Install Emacs
         if: ${{ github.event.inputs.debug == 'true' }}
         run: |
           sudo apt install emacs
       - name: Setup tmate session
         if: ${{ github.event.inputs.debug == 'true' }}
-        uses: mxschmitt/action-tmate@v3.23
-        with:
-          detached: true
+        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101
         timeout-minutes: 60
       - name: Run Static Analysis
+        env:
+          PYTHON_PATH: ${{ steps.sp.outputs.python-path }}
         run: |
-          just test ./tests/verify_environment.py
-          just check-lint
-          just check-format
-          just check-types
-          just check-package
-          just check-readme
+          just check -p "$PYTHON_PATH" --group "$TEST_DJANGO_VERSION"

.github/workflows/release.yml

@@ -11,7 +11,7 @@ concurrency:
 on:
   push:
     tags:
-      - 'v*'  # only publish on version tags (e.g. v1.0.0)
+      - 'v[0-9]*.[0-9]*.[0-9]*'  # only publish on version tags (e.g. v1.0.0)
 
 jobs:
 
@@ -20,14 +20,14 @@ jobs:
       contents: read
       actions: write
     uses: ./.github/workflows/lint.yml
-    secrets: inherit
 
   test:
     permissions:
       contents: read
       actions: write
     uses: ./.github/workflows/test.yml
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build:
     name: Build Package
@@ -39,17 +39,22 @@ jobs:
       PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
       RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       with:
-        python-version: ">=3.11"  # for tomlib
+        python-version: "3.14"
+        allow-prereleases: true
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
       with:
-        enable-cache: true
+        enable-cache: false
+        restore-cache: false
+        save-cache: false
     - name: Setup Just
-      uses: extractions/setup-just@v3
+      uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b
     - name: Verify Tag
       run: |
         TAG_NAME=${GITHUB_REF#refs/tags/}
@@ -59,18 +64,18 @@ jobs:
         git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME
 
         # verify signature
-        curl -sL https://github.com/${{ github.actor }}.gpg | gpg --import 
+        curl -sL "https://github.com/${GITHUB_ACTOR}.gpg" | gpg --import
         git tag -v "$TAG_NAME"
 
         # verify version
         RELEASE_VERSION=$(just validate_version $TAG_NAME)
 
         # export the release version
-        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV 
+        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV
     - name: Build the binary wheel and a source tarball
       run: just build
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
       with:
         name: python-package-distributions
         path: dist/
@@ -94,12 +99,12 @@ jobs:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
       with:
         name: python-package-distributions
         path: dist/
-    - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1.13
+    - name: Publish distribution to PyPI
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
 
   github-release:
     name: Publish GitHub Release
@@ -114,32 +119,33 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
       with:
         name: python-package-distributions
         path: dist/
     - name: Sign the dists with Sigstore
-      uses: sigstore/gh-action-sigstore-python@v3.2.0
+      uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d
       with:
         inputs: >-
           ./dist/*.tar.gz
           ./dist/*.whl
     - name: Create GitHub Release
       env:
         GITHUB_TOKEN: ${{ github.token }}
+        GITHUB_REF_NAME: ${{ github.ref_name }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
       run: >-
         gh release create
-        '${{ github.ref_name }}'
-        --repo '${{ github.repository }}'
+        "$GITHUB_REF_NAME"
+        --repo "$GITHUB_REPOSITORY"
         --generate-notes
         --prerelease
     - name: Upload artifact signatures to GitHub Release
       env:
         GITHUB_TOKEN: ${{ github.token }}
-      # Upload to GitHub Release using the `gh` CLI.
-      # `dist/` contains the built packages, and the
-      # sigstore-produced signatures and certificates.
+        GITHUB_REF_NAME: ${{ github.ref_name }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
       run: >-
         gh release upload
-        '${{ github.ref_name }}' dist/**
-        --repo '${{ github.repository }}'
+        "$GITHUB_REF_NAME" dist/**
+        --repo "$GITHUB_REPOSITORY"

.github/workflows/scorecard.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false