wislertt · wislertt · Dec 23, 2025 · Dec 19, 2025 · Dec 23, 2025 · Dec 23, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,56 @@
+name: ci
+
+on:
+    # Rulesets for main branch
+    # - Require status checks to pass -> Require branches to be up to date before merging
+    pull_request:
+        types: [labeled, unlabeled, opened, synchronize, reopened]
+
+permissions:
+    contents: write
+    id-token: write
+
+jobs:
+    # ====================================================
+    # Versioning and Release
+    # ====================================================
+    check-pre-release:
+        name: check-pre-release
+        uses: wislertt/zerv/.github/workflows/shared-check-pr-label-and-branch.yml@v0
+        with:
+            target_label: "pre-release"
+            branch_prefixes: '["release/"]'
+            branch_names: '["develop"]'
+
+    zerv-versioning:
+        name: zerv-versioning
+        needs: check-pre-release
+        uses: wislertt/zerv/.github/workflows/shared-zerv-versioning.yml@v0
+        with:
+            schema: ${{ (needs.check-pre-release.outputs.is_valid == 'true' && 'standard-base-prerelease-post') || '' }}
+
+    tag-pre-release:
+        name: tag-pre-release
+        needs: [zerv-versioning, check-pre-release]
+        if: needs.check-pre-release.outputs.is_valid == 'true'
+        uses: wislertt/zerv/.github/workflows/shared-create-tags.yml@v0
+        with:
+            tags: '["${{ fromJson(needs.zerv-versioning.outputs.versions).v_semver }}"]'
+
+    # ====================================================
+    # Test and Lint
+    # ====================================================
+    test:
+        name: test
+        uses: ./.github/workflows/test.yml
+        secrets:
+            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    test-reproducibility:
+        name: test-reproducibility
+        uses: ./.github/workflows/test-reproducibility.yml
+
+    pre-commit:
+        name: pre-commit
+        uses: ./.github/workflows/pre-commit.yml
diff --git a/.github/workflows/ci-pre-commit.yml → .github/workflows/pre-commit.yml b/.github/workflows/ci-pre-commit.yml → .github/workflows/pre-commit.yml
@@ -1,8 +1,13 @@
-name: ci
+name: pre-commit
 
 on:
-    pull_request:
-        types: [opened, synchronize, reopened]
+    workflow_call:
+        inputs:
+            python_version:
+                description: "Python version to use"
+                required: false
+                type: string
+                default: "3.14"
 
 jobs:
     pre-commit:
@@ -16,7 +21,7 @@ jobs:
 
             - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
               with:
-                  python-version: "3.14"
+                  python-version: ${{ inputs.python_version }}
 
             - name: Install Poetry
               uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,52 @@
+name: Reusable PyPI Publisher
+
+on:
+    workflow_call:
+        inputs:
+            version:
+                required: true
+                type: string
+                description: "PEP440 version string"
+            repository_url:
+                required: false
+                type: string
+                description: "PyPI repository URL (default: official PyPI)"
+                default: ""
+        secrets:
+            PYPI_API_TOKEN:
+                required: true
+
+jobs:
+    publish:
+        name: publish-to-pypi
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Update version in pyproject.toml
+              run: |
+                  sed -i.bak 's/^version = .*/version = "${{ inputs.version }}"/' pyproject.toml
+                  grep '^version' pyproject.toml
+
+            - name: Set up Python
+              uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+              with:
+                  python-version: "3.14"
+
+            - name: Install uv
+              uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+              with:
+                  version: "latest"
+
+            - name: Build package
+              run: uv build
+
+            - name: Publish to PyPI
+              uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+              with:
+                  repository-url: ${{ inputs.repository_url || '' }}
+                  password: ${{ secrets.PYPI_API_TOKEN }}
+                  verbose: true
+                  skip-existing: true
diff --git a/...hub/workflows/ci-test-reproducibility.yml → .github/workflows/test-reproducibility.yml b/...hub/workflows/ci-test-reproducibility.yml → .github/workflows/test-reproducibility.yml
@@ -1,10 +1,13 @@
-name: ci
+name: test-reproducibility
 
 on:
-    push:
-        branches: [main]
-    pull_request:
-        types: [opened, synchronize, reopened]
+    workflow_call:
+        inputs:
+            python_version:
+                description: "Python version to use"
+                required: false
+                type: string
+                default: "3.14"
 
 jobs:
     test-reproducibility:
@@ -16,7 +19,7 @@ jobs:
             - name: Set up Python
               uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
               with:
-                  python-version: "3.14"
+                  python-version: ${{ inputs.python_version }}
 
             - name: Install Poetry
               uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1

diff --git a/.github/workflows/ci-test.yml → .github/workflows/test.yml b/.github/workflows/ci-test.yml → .github/workflows/test.yml
@@ -1,13 +1,18 @@
-name: ci
+name: test
 
 on:
-    push:
-        branches: [main]
-    pull_request:
-        types: [opened, synchronize, reopened]
-
-env:
-    TARGET_PYTHON_VERSION: "3.14"
+    workflow_call:
+        inputs:
+            target_python_version:
+                description: "Target Python version for SonarQube and Codecov"
+                required: false
+                type: string
+                default: "3.14"
+        secrets:
+            SONAR_TOKEN:
+                required: false
+            CODECOV_TOKEN:
+                required: false
 
 jobs:
     test:
@@ -76,14 +81,14 @@ jobs:
               run: make test
 
             - name: SonarQube Scan
-              if: matrix.python-version == env.TARGET_PYTHON_VERSION && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
-              uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+              if: matrix.python-version == inputs.target_python_version && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+              uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
               env:
                   SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
             - name: Upload coverage reports to Codecov
-              if: matrix.python-version == env.TARGET_PYTHON_VERSION && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
-              uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+              if: matrix.python-version == inputs.target_python_version && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+              uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
               with:
                   fail_ci_if_error: true
                   token: ${{ secrets.CODECOV_TOKEN }}