Update ref version to v0.8.20 and add renovate template

.github/workflows/copilot-setup-steps.yml

@@ -34,7 +34,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
 
       - name: Configure git auth for private packages
         uses: ./.github/actions/configure-git-auth

.github/workflows/rhiza_book.yml

@@ -43,7 +43,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
 
       - name: Configure git auth for private packages
         uses: ./.github/actions/configure-git-auth
@@ -88,5 +88,5 @@ jobs:
       # If PUBLISH_COMPANION_BOOK is not set, it defaults to allowing deployment
       - name: Deploy to GitHub Pages
         if: ${{ !github.event.repository.fork && (vars.PUBLISH_COMPANION_BOOK == 'true' || vars.PUBLISH_COMPANION_BOOK == '') }}
-        uses: actions/deploy-pages@v4.0.5  # Official GitHub Pages deployment action
+        uses: actions/deploy-pages@v5.0.0  # Official GitHub Pages deployment action
         continue-on-error: true

.github/workflows/rhiza_ci.yml

@@ -3,9 +3,11 @@
 #
 # Workflow: Continuous Integration
 #
-# Purpose: Run tests on multiple Python versions to ensure compatibility.
+# Purpose: Run tests on multiple Python versions, check dependencies, run
+#          pre-commit hooks, verify documentation coverage, validate the
+#          project, run security scans, and check license compliance.
 #
-# Trigger: On push and pull requests to main/master branches.
+# Trigger: On push and pull_request.
 
 name: (RHIZA) CI
 
@@ -15,9 +17,7 @@ permissions:
 
 on:
   push:
-    branches: [ main, master ]
   pull_request:
-    branches: [ main, master ]
 
 jobs:
   generate-matrix:
@@ -32,13 +32,13 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
 
       - name: Configure git auth for private packages
         uses: ./.github/actions/configure-git-auth
         with:
           token: ${{ secrets.GH_PAT }}
-          
+
       - id: versions
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
@@ -53,10 +53,11 @@ jobs:
 
   test:
     needs: generate-matrix
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         python-version: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+        os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: false
 
     steps:
@@ -68,7 +69,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
           python-version: ${{ matrix.python-version }}
 
       - name: Configure git auth for private packages
@@ -83,14 +84,82 @@ jobs:
           make test
 
       - name: Upload coverage report
-        if: matrix.python-version == '3.12'
+        if: matrix.python-version == '3.12' && matrix.os == 'ubuntu-latest'
         uses: actions/upload-artifact@v7
         with:
           name: coverage-report
           path: _tests/coverage.xml
           if-no-files-found: ignore
 
 
+  typecheck:
+    name: Type checking
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+        with:
+          version: "0.11.2"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Run ty type checker (make typecheck)
+        # Runs `uv run ty check src/` as defined in .rhiza/make.d/test.mk.
+        # ty is configured via [tool.ty.environment] in pyproject.toml.
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: make typecheck
+
+  deptry:
+    name: Check dependencies with deptry
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+        with:
+          version: "0.11.2"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Run deptry
+        run: make deptry
+
+  pre-commit:
+    name: Pre-commit hooks
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Cache pre-commit environments
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            pre-commit-${{ runner.os }}-
+
+      - name: Run pre-commit
+        run: |
+          make fmt
+
   docs-coverage:
     runs-on: ubuntu-latest
     steps:
@@ -100,7 +169,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
 
       - name: Configure git auth for private packages
         uses: ./.github/actions/configure-git-auth
@@ -113,6 +182,87 @@ jobs:
         run: |
           make docs-coverage
 
+  validation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6.0.2
+        with:
+          lfs: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+        with:
+          version: "0.11.2"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Validate
+        shell: bash
+        run: |
+          make validate
+
+  security:
+    name: Security scanning
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+        with:
+          version: "0.11.2"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Run security scans
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: make security
+
+  license:
+    name: License compliance scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+        with:
+          version: "0.11.2"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Run license check
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: make license
+
+      - name: Generate LICENSES.md
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: |
+          uv run --with pip-licenses pip-licenses --format markdown --output-file LICENSES.md
+
+      - name: Upload LICENSES.md
+        uses: actions/upload-artifact@v7
+        with:
+          name: LICENSES.md
+          path: LICENSES.md
+          if-no-files-found: ignore
+
   coverage-badge:
     needs: test
     runs-on: ubuntu-latest
@@ -128,7 +278,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7.6.0
         with:
-          version: "0.10.12"
+          version: "0.11.2"
 
       - name: Download coverage report
         id: download-coverage