chore: Add GH action and release please support

.github/actions/build-docs/action.yml

@@ -0,0 +1,9 @@
+name: Build Documentation
+description: 'Build Documentation.'
+
+runs:
+  using: composite
+  steps:
+    - name: Build Documentation
+      shell: bash
+      run: make docs

.github/actions/build/action.yml

@@ -0,0 +1,19 @@
+name: Build distribution files
+description: 'Build distribution files'
+outputs:
+  package-hashes:
+    description: "base64-encoded sha256 hashes of distribution files"
+    value: ${{ steps.package-hashes.outputs.package-hashes }}
+
+runs:
+  using: composite
+  steps:
+    - name: Build distribution files
+      shell: bash
+      run: poetry build
+    - name: Hash build files for provenance
+      id: package-hashes
+      shell: bash
+      working-directory: ./dist
+      run: |
+        echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"

.github/actions/publish/action.yml

@@ -0,0 +1,18 @@
+name: Publish Package
+description: 'Publish the package to PyPI'
+inputs:
+  token:
+    description: 'Token to use for publishing.'
+    required: true
+  dry_run:
+    description: 'Is this a dry run. If so no package will be published.'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      if: ${{ inputs.dry_run == 'false' }}
+      with:
+        password: ${{inputs.token}}

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: Quality control checks
+
+on:
+  push:
+    branches: [ main, 'feat/**' ]
+    paths-ignore:
+      - '**.md' # Do not need to run CI for markdown changes.
+  pull_request:
+    branches: [ main, 'feat/**' ]
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  linux:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install poetry
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - uses: ./.github/actions/build
+      - uses: ./.github/actions/build-docs
+
+      - name: Run tests
+        run: make test
+
+      - name: Verify typehints
+        run: make lint
+
+  windows:
+    runs-on: windows-latest
+
+    defaults:
+      run:
+        shell: powershell
+
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install poetry
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - name: Install requirements
+        run: poetry install
+
+      - name: Run tests
+        run: make test

.github/workflows/lint-pr-title.yml

@@ -0,0 +1,12 @@
+name: Lint PR title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  lint-pr-title:
+    uses: launchdarkly/gh-actions/.github/workflows/lint-pr-title.yml@main

.github/workflows/manual-publish.yml

@@ -0,0 +1,52 @@
+name: Publish Package
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Is this a dry run? If so no package will be published.'
+        type: boolean
+        required: true
+
+jobs:
+  build-publish:
+    runs-on: ubuntu-latest
+    # Needed to get tokens during publishing.
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      package-hashes: ${{ steps.build.outputs.package-hashes}}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+
+      - name: Install poetry
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.0
+        name: 'Get PyPI token'
+        with:
+          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
+          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
+
+      - uses: ./.github/actions/build
+        id: build
+
+      - uses: ./.github/actions/publish
+        with:
+          token: ${{env.PYPI_AUTH_TOKEN}}
+          dry_run: ${{ inputs.dry_run }}
+
+  release-provenance:
+    needs: [ 'build-publish' ]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    with:
+      base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
+      upload-assets: ${{ !inputs.dry_run }}

.github/workflows/release-please.yml

@@ -0,0 +1,71 @@
+name: Run Release Please
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  release-package:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Needed if using OIDC to get release secrets.
+      contents: write # Contents and pull-requests are for release-please to make releases.
+      pull-requests: write
+    outputs:
+      release-created: ${{ steps.release.outputs.release_created }}
+      upload-tag-name: ${{ steps.release.outputs.tag_name }}
+      package-hashes: ${{ steps.build.outputs.package-hashes}}
+    steps:
+      - uses: google-github-actions/release-please-action@v3
+        id: release
+        with:
+          command: manifest
+          token: ${{secrets.GITHUB_TOKEN}}
+          default-branch: main
+
+      - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.releases_created }}
+        with:
+          fetch-depth: 0 # If you only need the current version keep this.
+
+      - uses: actions/setup-python@v4
+        if: ${{ steps.release.outputs.releases_created }}
+        with:
+          python-version: 3.8
+
+      - name: Install poetry
+        if: ${{ steps.release.outputs.releases_created }}
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+
+      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.0
+        if: ${{ steps.release.outputs.releases_created }}
+        name: 'Get PyPI token'
+        with:
+          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
+          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
+
+      - uses: ./.github/actions/build
+        id: build
+        if: ${{ steps.release.outputs.releases_created }}
+
+      - uses: ./.github/actions/build-docs
+        if: ${{ steps.release.outputs.releases_created }}
+
+      - uses: ./.github/actions/publish
+        if: ${{ steps.release.outputs.releases_created }}
+        with:
+          token: ${{env.PYPI_AUTH_TOKEN}}
+          dry_run: false
+
+  release-provenance:
+    needs: [ 'release-package' ]
+    if: ${{ needs.release-package.outputs.release-created }}
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    with:
+      base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}

.github/workflows/stale.yml

@@ -0,0 +1,10 @@
+name: 'Close stale issues and PRs'
+on:
+  workflow_dispatch:
+  schedule:
+    # Happen once per day at 1:30 AM
+    - cron: '30 1 * * *'
+
+jobs:
+  sdk-close-stale:
+    uses: launchdarkly/gh-actions/.github/workflows/sdk-stale.yml@main

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.0.0"
+}

release-please-config.json

@@ -0,0 +1,11 @@
+{
+  "packages": {
+    ".": {
+      "release-type": "python",
+      "versioning": "default",
+      "include-v-in-tag": false,
+      "extra-files": ["ldotel/__init__.py", "PROVENANCE.md"],
+      "include-component-in-tag": false
+    }
+  }
+}