Modernize tooling: uv, ruff, Python 3.10–3.14, dependabot auto-merge

.github/dependabot.yml

@@ -1,9 +1,6 @@
 version: 2
 updates:
-- package-ecosystem: pip
-  directory: "/"
-  schedule:
-    interval: daily
-  open-pull-requests-limit: 10
-  assignees:
-      - "fhightower"
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/pytest.yml → .github/workflows/ci.yml

@@ -9,48 +9,64 @@ on:
   pull_request:
     branches: [ main ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  build_multi_os:
+  build_smoke:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python 3.14
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.14'
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v6
+    - name: Build package
+      run: uv build
 
+  build_multi_os:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [macos-latest, windows-latest, ubuntu-latest]
-        python-version: [3.9]
+        python-version: ['3.14']
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v6
     - name: Install dependencies
-      run: |
-        python -m pip install -r requirements.txt
-        python -m pip install -r requirements_dev.txt
+      run: uv sync --locked --group dev
     - name: Run pytest
       run: |
-        pytest
-        codecov
+        uv run pytest
+        uv run codecov
 
   build_multi_py_versions:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest]
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v6
     - name: Install dependencies
-      run: |
-        python -m pip install -r requirements.txt
-        python -m pip install -r requirements_dev.txt
+      run: uv sync --locked --group dev
     - name: Run pytest
       run: |
-        pytest
-        codecov
+        uv run pytest
+        uv run codecov

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,67 @@
+name: Dependabot auto-merge
+
+on:
+  pull_request_target:
+  schedule:
+    - cron: "11 11 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  label:
+    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+
+      - name: Ensure labels exist
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh label create auto-merge-candidate --color ededed --description "Dependabot dev-dep PR eligible for auto-merge after soak" --force --repo "$GITHUB_REPOSITORY"
+          gh label create needs-manual-merge --color d93f0b --description "Dependabot PR not eligible for auto-merge; needs manual review" --force --repo "$GITHUB_REPOSITORY"
+
+      - name: Label auto-merge candidates
+        if: steps.meta.outputs.dependency-type == 'direct:development' && (steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor')
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr edit "$PR_URL" --add-label auto-merge-candidate
+
+      - name: Label PRs needing manual review
+        if: ${{ !(steps.meta.outputs.dependency-type == 'direct:development' && (steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor')) }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr edit "$PR_URL" --add-label needs-manual-merge
+
+  soak-and-merge:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    env:
+      SOAK_DAYS: 3
+    steps:
+      - name: Enable auto-merge on soaked PRs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cutoff=$(date -u -d "${SOAK_DAYS} days ago" +%Y-%m-%dT%H:%M:%SZ)
+          gh pr list \
+            --repo "$GITHUB_REPOSITORY" \
+            --author "app/dependabot" \
+            --label auto-merge-candidate \
+            --state open \
+            --json number,createdAt,autoMergeRequest \
+            --jq ".[] | select(.createdAt < \"$cutoff\") | .number" \
+          | while read -r pr; do
+              auto=$(gh pr view "$pr" --repo "$GITHUB_REPOSITORY" --json autoMergeRequest --jq .autoMergeRequest)
+              if [ "$auto" = "null" ] || [ -z "$auto" ]; then
+                echo "Enabling auto-merge on PR #$pr"
+                gh pr merge "$pr" --auto --squash --repo "$GITHUB_REPOSITORY" || echo "Failed to enable auto-merge on PR #$pr"
+              fi
+            done

.github/workflows/lint.yml

@@ -0,0 +1,32 @@
+# This workflow will install Python dependencies and lint the code with ruff and mypy
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.14'
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v6
+    - name: Install dependencies
+      run: uv sync --locked --group dev
+    - name: Lint
+      env:
+        CONTEXT: ci
+      run: ./docker/lint.sh

.github/workflows/python-publish.yml

@@ -0,0 +1,46 @@
+# This workflow will upload a Python Package to PyPI when a tag is pushed.
+# Uses PyPI trusted publishing (OIDC) — no secrets required.
+# Configure at: https://pypi.org/manage/project/d8s-python/settings/publishing/
+
+name: Upload Python Package to PyPi
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  deploy:
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write   # required for OIDC trusted publishing
+      contents: read
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Ensure tag commit is on main
+      run: |
+        git fetch origin main
+        git merge-base --is-ancestor "$GITHUB_SHA" origin/main
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.x'
+    - name: Verify version matches tag
+      run: |
+        TAG_VERSION="${GITHUB_REF_NAME#v}"
+        PKG_VERSION=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+        if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+          echo "::error::Tag version ($TAG_VERSION) does not match package version ($PKG_VERSION)"
+          exit 1
+        fi
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v6
+    - name: Build
+      run: uv build
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1

README.md

@@ -5,7 +5,7 @@
 [![Lint](https://github.com/democritus-project/d8s-python/workflows/Lint/badge.svg)](https://github.com/democritus-project/d8s-python/actions)
 [![codecov](https://codecov.io/gh/democritus-project/d8s-python/branch/main/graph/badge.svg?token=V0WOIXRGMM)](https://codecov.io/gh/democritus-project/d8s-python)
 [![The Democritus Project uses semver version 2.0.0](https://img.shields.io/badge/-semver%20v2.0.0-22bfda)](https://semver.org/spec/v2.0.0.html)
-[![The Democritus Project uses black to format code](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
+[![The Democritus Project uses ruff to format and lint code](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
 [![License: LGPL v3](https://img.shields.io/badge/License-LGPL%20v3-blue.svg)](https://choosealicense.com/licenses/lgpl-3.0/)
 
 Democritus functions<sup>[1]</sup> for working with Python data (code and ASTs).

d8s_python/__init__.py

@@ -1,6 +1,6 @@
-__version__ = '0.9.0'
-__author__ = '''Floyd Hightower'''
-__email__ = 'floyd.hightower27@gmail.com'
+__version__ = "0.9.0"
+__author__ = """Floyd Hightower"""
+__email__ = "floyd.hightower27@gmail.com"
 
 from .ast_data import *
 from .python_data import *