Refactor GHA pipelines

Author: ssbarnea

.github/workflows/tox.yml

@@ -1,24 +1,37 @@
+---
 name: tox
 
 on:
+  merge_group:
   push:
     branches:
-      - main
+      - "main"
 
   pull_request:
     branches:
-      - main
+      - "main"
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: 1 # tox, pytest, ansible-lint
+  PY_COLORS: 1
 
 jobs:
-  pre:
-    name: pre
-    runs-on: ubuntu-22.04
+  prepare:
+    name: prepare
+    runs-on: ubuntu-24.04
     outputs:
       matrix: ${{ steps.generate_matrix.outputs.matrix }}
     steps:
       - name: Determine matrix
         id: generate_matrix
-        uses: coactions/matrix@v4
+        uses: coactions/dynamic-matrix@v4
         with:
           min_python: "3.10"
           max_python: "3.14"
@@ -29,37 +42,120 @@ jobs:
             docs
   build:
     name: ${{ matrix.name }}
-    needs: pre
-    runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
+    runs-on: ${{ matrix.os || 'ubuntu-24.04' }}
+    needs:
+      - prepare
 
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.pre.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.prepare.outputs.matrix) }}
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # needed by setuptools-scm
+          submodules: true
 
-      - name: Set up Python ${{ matrix.python_version }}
+      - name: Set pre-commit cache
+        uses: actions/cache@v4
+        if: ${{ matrix.name == 'lint' }}
+        with:
+          path: |
+            ~/.cache/pre-commit
+          key: pre-commit-${{ matrix.name }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Set up Python ${{ matrix.python_version || '3.10' }}
+        if: "!contains(matrix.shell, 'wsl')"
         uses: actions/setup-python@v5
         with:
-          python-version: ${{ matrix.python_version }}
+          cache: pip
+          python-version: ${{ matrix.python_version || '3.10' }}
+
 
-      - name: Install dependencies
+      - name: Install tox
         run: |
-          python -m pip install --upgrade pip
-          pip install tox>=4.0
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade "tox>=4.0.0" "tox-uv>=1.25.0" "uv>=0.6.6"
+
+      - name: Log installed dists
+        run: python3 -m pip freeze --all
 
-      - name: ${{ matrix.name }}
-        run: ${{ matrix.command }}
+      - run: ${{ matrix.command }}
 
-  check: # This job does nothing and is only used for the branch protection
+      - run: ${{ matrix.command2 }}
+        if: ${{ matrix.command2 }}
+
+      - run: ${{ matrix.command3 }}
+        if: ${{ matrix.command3 }}
+
+      - run: ${{ matrix.command4 }}
+        if: ${{ matrix.command4 }}
+
+      - run: ${{ matrix.command5 }}
+        if: ${{ matrix.command5 }}
+
+      - name: Archive logs
+        uses: coactions/upload-artifact@v4
+        with:
+          name: logs-${{ matrix.name }}.zip
+          include-hidden-files: true
+          path: |
+            .tox/**/.coverage*
+            .tox/**/coverage.xml
+
+      - name: Report failure if git reports dirty status
+        run: |
+          if [[ -n $(git status -s) ]]; then
+            # shellcheck disable=SC2016
+            echo -n '::error file=git-status::'
+            printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
+            exit 99
+          fi
+  check:
     if: always()
+    permissions:
+      id-token: write
+      checks: read
     needs:
       - build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+
     steps:
+      # checkout needed for codecov action which needs codecov.yml file
+      - uses: actions/checkout@v4
+
+      - name: Set up Python # likely needed for coverage
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - run: pip3 install 'coverage>=7.5.1'
+
+      - name: Merge logs into a single archive
+        uses: actions/upload-artifact/merge@v4
+        with:
+          name: logs.zip
+          include-hidden-files: true
+          pattern: logs-*.zip
+          # artifacts like py312.zip and py312-macos do have overlapping files
+          separate-directories: true
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        continue-on-error: true # to allow rerunning this job
+        with:
+          name: logs.zip
+          path: .
+
+
+      - name: Upload coverage data
+        uses: codecov/[email protected]
+        with:
+          name: ${{ matrix.name }}
+          # verbose: true # optional (default = false)
+          fail_ci_if_error: true
+          use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }} # cspell:ignore oidc
+
       - name: Decide whether the needed jobs succeeded or failed
         uses: re-actors/alls-green@release/v1
         with: