⬆️ CI/CD-#96: Configure PyPI publish workflows with OIDC

[FernandoCelmer]

Description

• .github/actions/build-package/ — composite action to build the Python package with python -m build
• .github/actions/setup-poetry/ — composite action to set up Python + Poetry with dependency caching
• .github/actions/extract-version/ — composite action to extract version from a release tag (strips v prefix)
• .github/actions/update-version/ — composite action to update LAST_VERSION, pyproject.toml, and dotflow/__init__.py
• .github/actions/commit-push/ — composite action to commit and push changes to a target branch
• .github/workflows/test.yml — reusable workflow for running pytest across Python 3.9–3.14 with coverage
• .github/workflows/code-quality.yml — reusable workflow for Ruff, Flake8, and MyPy checks
• .github/workflows/python-publish-pypi.yml — refactored to use OIDC, composite actions, and reusable workflows
• .github/workflows/python-publish-pypi-test.yml — refactored to use OIDC and reusable workflows
• .code_quality/ — centralized config for Ruff, Flake8, Black, isort, and MyPy
• dotflow/ and tests/ — formatting modernization via Ruff (import sorting, type annotation upgrades)

Motivation and Context

Eliminate long-lived PyPI API tokens stored as repository secrets by adopting OIDC Trusted Publisher authentication. Modularize CI/CD with reusable composite actions to reduce duplication and improve maintainability.

Closes #96

Types of changes

• Bug fix (change that fixes an issue)
• New feature (change which adds functionality)
• Documentation

Checklist

• I have performed a self-review of my own code
• I have added tests that prove my fix is effective or that my feature works
• I have updated the CHANGELOG
• I have updated the documentation accordingly

[FernandoCelmer]

🔍 Code Review

Code issues found: 5

See inline comments below.