mwyau · mwyau · Mar 10, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,34 +1,30 @@
 name: CI
 
 on:
+  pull_request:
   push:
     branches:
       - main
-      - dev
-  pull_request:
-    branches:
-      - dev
+      - release/**
+    tags:
+      - v*
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}
+  cancel-in-progress: ${{ github.ref_type != 'tag' }}
+
 permissions:
   contents: read
 
 jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    # Skip PR CI if the head branch is 'dev' to avoid double runs (push trigger covers it)
-    if: github.event_name == 'push' || github.event.pull_request.head.ref != 'dev'
-    outputs:
-      python-versions: ${{ steps.versions.outputs.value }}
-    steps:
-      - id: versions
-        run: echo 'value=["3.11", "3.12", "3.13", "3.14"]' >> $GITHUB_OUTPUT
-
   ruff-lint:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' || github.event.pull_request.head.ref != 'dev'
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
@@ -37,10 +33,12 @@ jobs:
         run: uv run ruff check .
 
   ruff-format:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' || github.event.pull_request.head.ref != 'dev'
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
@@ -49,32 +47,50 @@ jobs:
         run: uv run ruff format --check .
 
   mypy-typecheck:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' || github.event.pull_request.head.ref != 'dev'
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
           enable-cache: true
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y libeccodes-dev
+          sudo apt-get install -y libopenmpi-dev libeccodes-dev
       - name: Install dependencies
-        run: uv sync --group dev
+        run: uv sync --frozen --group dev
       - name: Type check with Mypy
         run: uv run mypy src/ tests/
 
   unit-tests:
-    name: unit-tests (Python ${{ matrix.python-version }})
-    needs: prepare
-    runs-on: ubuntu-latest
+    name: unit-tests (Python ${{ matrix.python-version }}/${{ matrix.arch }}${{ matrix.min-deps && ', min-deps' || '' }})
+    runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ${{ fromJSON(needs.prepare.outputs.python-versions) }}
+        include:
+          - arch: amd64
+            os: ubuntu-24.04
+            python-version: "3.11"
+          - arch: amd64
+            os: ubuntu-24.04
+            python-version: "3.11"
+            min-deps: true
+          - arch: amd64
+            os: ubuntu-24.04
+            python-version: "3.14"
+          - arch: arm64
+            os: ubuntu-24.04-arm
+            python-version: "3.14"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
@@ -83,22 +99,35 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y libeccodes-dev
+          sudo apt-get install -y libopenmpi-dev libeccodes-dev
       - name: Install dependencies
-        run: uv sync --group dev
+        if: ${{ !matrix.min-deps }}
+        run: uv sync --frozen --group dev
+      - name: Install dependencies (min-deps)
+        if: ${{ matrix.min-deps }}
+        run: uv sync --group dev --resolution lowest-direct
       - name: Run Unit Tests
         run: |
           uv run pytest -vv
 
   integration-tests:
-    name: integration-tests (Python ${{ matrix.python-version }})
-    needs: prepare
-    runs-on: ubuntu-latest
+    name: integration-tests (Python ${{ matrix.python-version }}/${{ matrix.arch }})
+    runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ${{ fromJSON(needs.prepare.outputs.python-versions) }}
+        include:
+          - arch: amd64
+            os: ubuntu-24.04
+            python-version: "3.14"
+          - arch: arm64
+            os: ubuntu-24.04-arm
+            python-version: "3.14"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
@@ -109,7 +138,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y openmpi-bin libopenmpi-dev libeccodes-dev
       - name: Install dependencies
-        run: uv sync --group dev
+        run: uv sync --frozen --group dev
       - name: Run Integration Tests
         run: |
           uv run pytest -vv tests/test_integration.py --run-integration

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -1,22 +1,16 @@
 name: Docker Publish
 
 on:
-  workflow_run:
-    workflows: ["CI"]
-    branches: [dev]
-    types: [completed]
+  push:
+    branches:
+      - main
   release:
     types: [published]
   workflow_dispatch:
-    inputs:
-      branch:
-        description: 'The branch to build from'
-        required: true
-        type: choice
-        options:
-        - main
-        - dev
-        default: 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
 
 env:
   DOCKER_HUB_REPO: xddd/pystormtracker
@@ -25,20 +19,17 @@ env:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
-    if: |
-      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
-      github.event_name == 'release' ||
-      github.event_name == 'workflow_dispatch'
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
-          # Checkout the branch on manual trigger, the commit on workflow_run, or the tag on release
-          ref: ${{ github.event.inputs.branch || github.event.workflow_run.head_sha }}
-          fetch-depth: 0 # Fetches all history for all tags. Needed for semver.
+          ref: ${{ github.ref }}
+          fetch-depth: 0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v4
@@ -67,22 +58,44 @@ jobs:
             ${{ env.DOCKER_HUB_REPO }}
             ${{ env.GHCR_REPO }}
           tags: |
-            # Tag all builds with the short commit hash
+            # Always tag with short SHA
             type=sha,format=short
-            # 'dev' tag for CI runs on dev branch or manual builds of dev
-            type=raw,value=dev,enable=${{ (github.event_name == 'workflow_run' && github.event.workflow_run.head_branch == 'dev') || (github.event_name == 'workflow_dispatch' && github.event.inputs.branch == 'dev') }}
-            # 'latest' and semantic version tags for releases
+            # Tag with 'latest' only for releases
             type=raw,value=latest,enable=${{ github.event_name == 'release' }}
-            type=match,pattern=v(.*),group=1,enable=${{ github.event_name == 'release' }}
+            # Tag with 'dev' only for main branch
+            type=raw,value=dev,enable=${{ github.ref_name == 'main' }}
+            # Branch tag only for manual builds (non-main)
+            type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' && github.ref_name != 'main' }}
+            # Semver tags only for releases
+            type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'release' }}
+            type=semver,pattern={{major}},enable=${{ github.event_name == 'release' }}
+
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@v7
         with:
           context: .
           push: true
-          provenance: false
+          provenance: true
+          sbom: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation (Docker Hub)
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.DOCKER_HUB_REPO }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate artifact attestation (GHCR)
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.GHCR_REPO }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -7,23 +7,38 @@ on:
   release:
     types: [published]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
 jobs:
   release-build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
 
       - name: Set up uv
         uses: astral-sh/setup-uv@v7
         with:
           enable-cache: true
 
       - name: Build release distributions
-        run: uv build
+        run: uv build --wheel --sdist
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v4
+        with:
+          subject-path: "dist/*"
 
       - name: Upload distributions
         uses: actions/upload-artifact@v7

diff --git a/CITATION.cff b/CITATION.cff
@@ -19,8 +19,8 @@ keywords:
   - dask
   - mpi
 license: BSD-3-Clause
-version: 0.3.1
-date-released: '2026-03-08'
+version: 0.3.2
+date-released: '2026-03-09'
 preferred-citation:
   type: article
   authors: