ci|docs: initial revision of GHA workflows

also make several improvements to the docs

Signed-off-by: Bryant Finney <[email protected]>

Author: bryant-finney

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,63 @@
+______________________________________________________________________
+
+## name: Bug report about: Report a bug to help us improve title: "bug: ..." labels: bug assignees: ""
+
+# Bug Report
+
+<!-- 1-3 sentences summarizing the bug you encountered -->
+
+## Steps to Reproduce
+
+<!--
+provide detailed steps to reproduce the bug. these steps will be used to write an acceptance test
+for the bug fix, so snippets of Python are welcome.
+-->
+
+1. _Step 1_
+1. _Step 2_
+1. _Step 3_
+1. ...
+
+### Expected Behavior
+
+<!-- what you expected to happen when following the steps above -->
+
+### Actual Behavior
+
+<!-- what actually happened when following the steps above -->
+
+## Environment
+
+<!-- provide information needed to reproduce the environment where the bug occurred -->
+
+```sh
+poetry env info
+```
+
+### Virtualenv
+
+- Python:
+- Implementation:
+- Path:
+- Executable:
+- Valid:
+
+### System
+
+- Platform:
+- OS:
+- Python:
+- Path:
+- Executable:
+
+## Additional Information
+
+<!-- any other information about the bug that you think might be helpful -->
+
+### Possible Solution
+
+<!-- if you have any ideas on how to solve the bug, please suggest them here -->
+
+### Related Issues
+
+<!-- are there any related issues? if yes, please list them here -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,33 @@
+______________________________________________________________________
+
+## name: Feature request about: Suggest an idea for this project title: "feat: ..." labels: feature assignees: ""
+
+# Feature Request
+
+<!-- 1-3 sentences describing the feature you would like to see implemented -->
+
+## User Story
+
+<!--
+describe the specific use case and users of this feature in the format of a user story
+
+for example:
+
+> As a cloud engineer, most of my configuration files are stored in AWS SSM Parameter Store. I would
+> like the ability for `pyspry` to retrieve these files automatically.
+-->
+
+### Proposed Solution
+
+<!--
+if you have any ideas or suggestions on how the feature could be implemented, please summarize them
+here, including any relevant code examples or concepts.
+-->
+
+## Additional Information
+
+<!-- any additional information that might help the developers evaluate your feature request -->
+
+### Related Issues
+
+<!-- are there any related issues? if yes, please list them here -->

.github/ISSUE_TEMPLATE/propose_enhancement.md

@@ -0,0 +1,27 @@
+______________________________________________________________________
+
+## name: Propose an enhancement about: Suggest an improvement to this project's existing implementation, operations, or maintenance title: "refactor: ..." labels: enhancement assignees: ""
+
+# Enhancement Proposal
+
+<!-- a brief 1-3 sentence summary of the proposal -->
+
+## Problem Statement
+
+<!-- define the problem you are presenting and why it’s a problem that should be solved. -->
+
+### Additional Details
+
+<!-- any additional information that might help to clarify characteristics of the problem, its extent (degree or scope), and/or severity (level of risk, magnitude of impact, or amount of costs) -->
+
+### Related Issues
+
+<!-- are there any related issues? if yes, please list them here -->
+
+## Proposed Solution
+
+<!-- if you have any ideas or suggestions on how the problem could be solved, please summarize them here, including any relevant code examples or concepts. -->
+
+### Acceptance Criteria
+
+<!-- what criteria must be met in order to implement the proposed solution? -->

.github/actions/poe/action.yaml

@@ -0,0 +1,65 @@
+name: setup
+description: Execute steps to set up the project
+inputs:
+  artifacts:
+    description: The path to the artifacts to upload
+    default: docs
+
+  poe-task:
+    description: Execute this 'poe' task
+    default: test
+
+  poetry-groups:
+    description: The dependency groups to install with poetry
+    default: ""
+
+  python-version:
+    description: The version of Python to use
+    default: "3.12"
+
+runs:
+  steps:
+    - run: pipx install poetry
+      shell: sh
+
+    - run: pipx inject poetry 'poethepoet[poetry_plugin]'
+      shell: sh
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - id: poetry
+      run: tr -d '\n' <<<"${{ inputs.poetry-groups }}" |
+        tr -c '[:alnum:]' '-' |
+        xargs printf 'groups=%s\n' >>"$GITHUB_OUTPUT"
+      shell: bash
+
+    - uses: actions/cache@v4
+      with:
+        path: ~/.cache
+        key: ${{ inputs.python-version }}-${{ steps.poetry.outputs.groups }}
+
+    - run: poetry
+        ${{ inputs.poetry-groups && format('install --only {0}', inputs.poetry-groups) || 'install'}}
+        --all-extras
+        --sync
+      shell: sh
+
+    # note: 'poetry' is used to run 'poe' tasks because `poetry_command = ""` in 'pyproject.toml'
+    # ref: https://github.com/ElucidBioimaging/back-end-health-checks/blob/452556c544c243ef829c469f0e11fcb0ebcbe4f0/pyproject.toml#L46
+    - run: poetry ${{ inputs.poe-task }}
+      shell: sh
+
+    - if: ${{ inputs.artifacts }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.poe-task }}-${{ inputs.artifacts }}-py${{ inputs.python-version }}
+        overwrite: true
+        path: ${{ inputs.artifacts }}
+
+    - if: ${{ runner.debug }}
+      run: git status
+      shell: sh
+
+  using: composite

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - commit-message:
+      prefix: deps
+      prefix-development: chore(dev-deps)
+    directory: /
+    open-pull-requests-limit: 10
+    package-ecosystem: pip
+    reviewers: [bryant-finney]
+    rebase-strategy: auto
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/codeql.yml

@@ -0,0 +1,38 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "26 4 * * *"
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"

.github/workflows/dependabot-merge.yaml

@@ -0,0 +1,70 @@
+name: Dependabot Auto
+on: pull_request
+
+env:
+  GH_TOKEN: ${{ github.token }}
+
+jobs:
+  metadata:
+    if: github.actor == 'dependabot[bot]'
+
+    outputs:
+      dependency-names: ${{ steps.metadata.outputs.dependency-names }}
+      dependency-type: ${{ steps.metadata.outputs.dependency-type }}
+      update-type: ${{ steps.metadata.outputs.update-type }}
+    permissions:
+      pull-requests: read
+
+    runs-on: ubuntu-latest
+    steps:
+      - id: metadata
+        uses: dependabot/fetch-metadata@v2
+
+  auto-approve:
+    env:
+      APPROVE: gh pr review --approve ${{github.event.pull_request.html_url}} &&
+        echo PR_APPROVED=true >>$GITHUB_OUTPUT
+
+    if: github.actor == 'dependabot[bot]'
+
+    needs: metadata
+    permissions:
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      # automatically approve dev dependencies and indirect dependencies that are not major updates
+      - id: dev-or-indirect
+        if: ( needs.metadata.outputs.dependency-type == 'direct:development' ||
+          needs.metadata.outputs.dependency-type == 'indirect' ) &&
+          needs.metadata.outputs.update-type != 'version-update:semver-major'
+        run: eval "$APPROVE"
+
+      # automatically approve boto3 updates that are not major updates
+      - id: boto3
+        if: steps.dev-or-indirect.outputs.PR_APPROVED != 'true' &&
+          needs.metadata.outputs.dependency-type == 'direct:production' &&
+          contains(needs.metadata.outputs.dependency-names, 'boto3') &&
+          needs.metadata.outputs.update-type != 'version-update:semver-major'
+        run: eval "$APPROVE"
+
+      # post a comment that the PR needs to be reviewed
+      - if: steps.dev-or-indirect.outputs.PR_APPROVED != 'true' &&
+          steps.boto3.outputs.PR_APPROVED != 'true'
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            > [!IMPORTANT]
+            > This PR should be reviewed by a maintainer.
+
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+
+    needs: metadata
+    permissions:
+      contents: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - run: gh pr merge --auto --merge ${{github.event.pull_request.html_url}}

.github/workflows/pr-poe-skipped.yaml

@@ -0,0 +1,29 @@
+# Run this workflow to test Python code changes.
+name: 🎨 poe (PR)
+
+on:
+  pull_request:
+    paths:
+      - "*"
+      - "**"
+      - "!**/*.py"
+      - "!*.py"
+      - "!.pre-commit-config.yaml"
+      - "!poetry.lock"
+      - "!pyproject.toml"
+      - "!.github/workflows/pr-poe.yaml"
+      - "!.github/actions/poe/*"
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: printf "skipping 'poe lint' job (no relevant changes) ✅"
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        py: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - run: printf "skipping 'poe test' job (no relevant changes) ✅"

.github/workflows/pr-poe.yaml

@@ -0,0 +1,37 @@
+# Run this workflow to test Python code changes.
+name: 🎨 poe (PR)
+
+on:
+  pull_request:
+    paths:
+      - "**/*.py"
+      - "*.py"
+      - .pre-commit-config.yaml
+      - poetry.lock
+      - pyproject.toml
+      - .github/workflows/pr-poe.yaml
+      - .github/actions/poe/*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/poe
+        with:
+          poe-task: lint
+          poetry-groups: main,build,test,lint
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        py: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/poe
+        with:
+          poe-task: test
+          poetry-groups: main,build,test
+          python-version: ${{ matrix.py }}