DEVOPS-781 refactor: clariti cumulusCI fork setup and release infrastructure (#16)

* DEVOPS-781 feat: add local GitHub Actions testing support with example secrets and vars files

* DEVOPS-781 chore: update package-ecosystem in dependabot configuration from pip to uv

* DEVOPS-781 chore: update setup-uv action references to use astral-sh/setup-uv@v5

* DEVOPS-781 docs: update documentation links to point to Clariti's GitHub Pages

* DEVOPS-781 refactor: update references and version requirements for Clariti CumulusCI

* DEVOPS-781 refactor: update project name and references to Clariti CumulusCI

* DEVOPS-781 docs: add legal compliance and security documentation for Clariti CumulusCI

* DEVOPS-781 docs: update CODEOWNERS and AUTHORS files for Clariti CumulusCI maintainers

* DEVOPS-781 docs: update bug report template to clarify support options and improve documentation links

* DEVOPS-781 docs: enhance AGENTS.md with local GitHub Actions testing instructions and key documentation references

* DEVOPS-781 chore: remove outdated update_dependencies workflow in favor of dependabot

* DEVOPS-781 feat: enhance workflow-test to support matrix filtering for OS selection

* DEVOPS-781 fix: update project name references to Clariti-CumulusCI in tests and utils

* DEVOPS-781 chore: update uv.lock

* DEVOPS-781 style: lint run_workflow.py

* DEVOPS-781 chore: add format/lint Makefile targets and fix code formatting

* DEVOPS-781 release: bump version to v4.6.0.dev2 with changelog

* DEVOPS-781 ci: add dynamic environment selection and trusted publishing for releases

* DEVOPS-781 fix: address CodeRabbit review findings (URLs and anchors)

* DEVOPS-781 fix: address remaining CodeRabbit findings (typos and shell vars)

- Fix typo "Offical" → "Official" in bug report template
- Fix grammar "please visit on the" → "please visit the"
- Improve release.yml to use shell variables instead of reading $GITHUB_OUTPUT

* DEVOPS-781 fix: pin third-party GitHub Actions to SHA

Pin non-GitHub owned actions to commit SHA for security:
- astral-sh/setup-uv@v5 -> SHA
- pre-commit/action@v3.0.1 -> SHA

* DEVOPS-781 fix: correct PyPI environment URL path

Use /project/ instead of /p/ for canonical PyPI URL.

* DEVOPS-781 fix: address CodeRabbit review findings

- docs/get-started.md: update Windows PATH from Python38 to Python311
- docs/org_config-reference.md: fix duplicated word "number"
- docs/robot-advanced.md: fix inconsistent anchor for Set Test Elapsed Time
- MAINTAINERS.md: update to reference PyPI GitHub Action instead of hatch publish
- slow_integration_tests.yml: update actions/checkout v2->v4, setup-python v4->v5
- cumulusci/cli/utils.py: fix Windows registry handle leak using context managers
- release.yml: tighten prerelease detection regex for PEP 440 compliance

* DEVOPS-781 fix: suppress warnings when var/secret files explicitly disabled

Don't emit warnings about missing custom var/secret files when the user
has explicitly disabled them via --no-var-file or --no-secret-file flags.

* DEVOPS-781 fix: add explicit permissions to GitHub Actions workflows

Add minimal permissions blocks to limit GITHUB_TOKEN scope:
- feature_test.yml: contents: read
- chores.yml: contents: read
- pre-release.yml: contents: write, pull-requests: write
- release.yml: contents: write, id-token: write
- release_test.yml: contents: read
- release_test_sfdx.yml: contents: read
- slow_integration_tests.yml: contents: read

* DEVOPS-781 fix: grant write permissions to chores workflow

The update_api_versions job pushes a branch and creates a PR,
so it needs contents: write and pull-requests: write permissions.

* DEVOPS-781 fix: update release_test.yml for clariti-cumulusci package name

Update wheel/sdist filenames and pip commands to use clariti_cumulusci
instead of cumulusci to match the renamed package.

Author: dipakparmar

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-#ECCN: Open Source
-#GUSINFO: SFDO Release Engineering, SFDO RelEng - CumulusCI Core
-* @SFDO-Tooling/salesforce-org-release-engineering
+# Clariti CumulusCI Code Owners
+# Maintainers of the Clariti fork of CumulusCI
+* @ClaritiSoftware/cci-maintainers

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,12 +1,12 @@
 ---
 name: Bug report
-description: Report a problem in CumulusCI functionality
+description: Report a problem in Clariti CumulusCI functionality
 labels: bug
 body:
     - type: markdown
       attributes:
           value: |
-              If you are seeking support on using CumulusCI, please do not open an Issue. Instead, please visit us on the [Trailblazer Community](https://trailhead.salesforce.com/trailblazer-community/groups/0F9300000009M9ZCAU).
+              If you are seeking support on using Clariti CumulusCI or Official CumulusCI, please do not open an Issue. Instead, please visit the [Trailblazer Community](https://trailhead.salesforce.com/trailblazer-community/groups/0F9300000009M9ZCAU).
     - type: textarea
       id: bug_description
       validations:
@@ -71,7 +71,7 @@ body:
       id: error_gist
       attributes:
           label: Error Gist
-          description: If applicable, please use the `cci error gist` command to create a Gist from your error log and include the link here. See the [documentation](https://cumulusci.readthedocs.io/en/latest/features.html#working-with-errors) to learn how to create a Gist.
+          description: If applicable, please use the `cci error gist` command to create a Gist from your error log and include the link here. See the [documentation](https://claritisoftware.github.io/CumulusCI/features.html#working-with-errors) to learn how to create a Gist. **Recommended:** [Enable telemetry](https://claritisoftware.github.io/CumulusCI/env-var-reference.html#telemetry) and reproduce the issue so we automatically receive the error report.
     - type: textarea
       id: additional_information
       attributes:

.github/dependabot.yml

@@ -1,6 +1,6 @@
 version: 2
 updates:
-    - package-ecosystem: pip
+    - package-ecosystem: uv
       directory: "/"
       schedule:
           interval: weekly

.github/workflows/chores.yml

@@ -5,6 +5,10 @@ on:
     schedule:
         - cron: "0 0 * * 0" # At 00:00 on Sunday
 
+permissions:
+    contents: write
+    pull-requests: write
+
 jobs:
     check_api_versions:
         runs-on: ubuntu-latest

.github/workflows/docs.yml

@@ -37,7 +37,7 @@ jobs:
                   python-version: "3.11"
 
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true

.github/workflows/feature_test.yml

@@ -8,11 +8,20 @@ on:
         branches:
             - main
 
+permissions:
+    contents: read
+
 jobs:
     lint:
         name: Lint
         if: ${{ contains(fromJSON('["workflow_dispatch", "pull_request"]'), github.event_name) }}
-        uses: SFDO-Tooling/.github/.github/workflows/pre-commit.yml@main
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-python@v4
+              with:
+                  python-version: "3.11"
+            - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
     docs:
         name: Build Docs
         if: ${{ github.event_name == 'pull_request' }}
@@ -28,7 +37,7 @@ jobs:
               with:
                   python-version: 3.11
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true
@@ -54,7 +63,7 @@ jobs:
               with:
                   python-version: "${{ matrix.python-version }}"
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true
@@ -78,7 +87,7 @@ jobs:
               with:
                   python-version: "${{ matrix.python-version }}"
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true
@@ -97,7 +106,7 @@ jobs:
               with:
                   python-version: 3.11
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true

.github/workflows/pre-release.yml

@@ -16,6 +16,10 @@ on:
                     - preview
                     - dev
 
+permissions:
+    contents: write
+    pull-requests: write
+
 jobs:
     generate-changelog:
         name: Create a PR to update version and release notes
@@ -44,7 +48,7 @@ jobs:
                   gh api \
                     --method POST \
                     -H "Accept: application/vnd.github.v3+json" \
-                    /repos/SFDO-Tooling/CumulusCI/releases/generate-notes \
+                    /repos/ClaritiSoftware/CumulusCI/releases/generate-notes \
                     -f previous_tag_name=$PREVIOUS_VERSION \
                     -f target_commitish='main' \
                     -f tag_name=$NEXT_VERSION \

.github/workflows/release.yml

@@ -7,36 +7,94 @@ on:
         paths:
             - cumulusci/__about__.py
 
+permissions:
+    contents: write
+    id-token: write
+
 concurrency: publishing
 
 jobs:
+    determine-environment:
+        name: Determine release environment
+        runs-on: ubuntu-latest
+        outputs:
+            version: ${{ steps.version.outputs.version }}
+            environment: ${{ steps.version.outputs.environment }}
+            prerelease: ${{ steps.version.outputs.prerelease }}
+        steps:
+            - uses: actions/checkout@v4
+            - name: Set up Python 3.11
+              uses: actions/setup-python@v5
+              with:
+                  python-version: 3.11
+            - name: Install hatch
+              run: python -m pip install hatch
+            - name: Determine version and environment
+              id: version
+              run: |
+                  VERSION="$(hatch version)"
+                  echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+                  # Determine environment based on version pattern (PEP 440 compliant)
+                  ENVIRONMENT=""
+                  PRERELEASE=""
+                  if [[ "$VERSION" =~ \.dev[0-9]*$ ]]; then
+                      ENVIRONMENT="development"
+                      PRERELEASE="true"
+                  elif [[ "$VERSION" =~ (a|b|rc)[0-9]+$ ]]; then
+                      ENVIRONMENT="staging"
+                      PRERELEASE="true"
+                  else
+                      ENVIRONMENT="production"
+                      PRERELEASE="false"
+                  fi
+
+                  echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT
+                  echo "prerelease=$PRERELEASE" >> $GITHUB_OUTPUT
+
+                  echo "📦 Version: $VERSION"
+                  echo "🌍 Environment: $ENVIRONMENT"
+
     publish-to-pypi:
-        name: Publish new release to PyPI
+        name: Publish ${{ needs.determine-environment.outputs.version }} to PyPI
         runs-on: ubuntu-latest
+        needs: determine-environment
+        environment:
+            name: ${{ needs.determine-environment.outputs.environment }}
+            url: https://pypi.org/project/clariti-cumulusci/${{ needs.determine-environment.outputs.version }}
+        permissions:
+            id-token: write # Required for trusted publishing
+            contents: write # Required for creating releases
         steps:
-            - uses: actions/checkout@main
+            - uses: actions/checkout@v4
             - name: Set up Python 3.11
-              uses: actions/setup-python@v4
+              uses: actions/setup-python@v5
               with:
                   python-version: 3.11
                   cache: pip
             - name: Install build tools
               run: python -m pip install hatch tomli tomli-w
             - name: Build source tarball and binary wheel
               run: hatch build -c
-            - name: Upload to PyPI
-              run: hatch publish
-              env:
-                  HATCH_INDEX_USER: "__token__"
-                  HATCH_INDEX_AUTH: ${{ secrets.PYPI_TOKEN }}
-            - name: Create release
+            - name: Publish to PyPI (Trusted Publishing)
+              uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
+              # No credentials needed - uses OIDC trusted publishing
+            - name: Create GitHub release
               env:
                   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  VERSION: ${{ needs.determine-environment.outputs.version }}
+                  PRERELEASE: ${{ needs.determine-environment.outputs.prerelease }}
               run: |
-                  VERSION="$(hatch version)"
                   awk '/<!-- latest-start -->/,/<!-- latest-stop -->/' docs/history.md > changelog.md
+
+                  PRERELEASE_FLAG=""
+                  if [[ "$PRERELEASE" == "true" ]]; then
+                      PRERELEASE_FLAG="--prerelease"
+                  fi
+
                   gh release create "v$VERSION" \
                     dist/*.whl \
                     dist/*.tar.gz \
                     --notes-file changelog.md \
-                    --title $VERSION
+                    --title "v$VERSION" \
+                    $PRERELEASE_FLAG

.github/workflows/release_test.yml

@@ -5,6 +5,9 @@ on:
     pull_request:
         types: [opened, synchronize, reopened] # Default
 
+permissions:
+    contents: read
+
 jobs:
     test_artifacts:
         name: "Test Package Artifacts"
@@ -24,14 +27,14 @@ jobs:
                   hatch build
             - name: Test install of wheel
               run: |
-                  pip install dist/cumulusci*.whl
-                  pip show cumulusci
-                  pip uninstall -y cumulusci
+                  pip install dist/clariti_cumulusci*.whl
+                  pip show clariti-cumulusci
+                  pip uninstall -y clariti-cumulusci
             - name: Test install of sdist
               run: |
-                  pip install dist/cumulusci*.tar.gz
-                  pip show cumulusci
-                  pip uninstall -y cumulusci
+                  pip install dist/clariti_cumulusci*.tar.gz
+                  pip show clariti-cumulusci
+                  pip uninstall -y clariti-cumulusci
             - name: Store artifacts
               if: failure()
               uses: actions/upload-artifact@v4

.github/workflows/release_test_sfdx.yml

@@ -1,5 +1,8 @@
 name: SFDX Integration Test
 
+permissions:
+    contents: read
+
 on:
     workflow_call:
         inputs:
@@ -46,7 +49,7 @@ jobs:
               with:
                   python-version: 3.11
             - name: Set up uv
-              uses: SFDO-Tooling/setup-uv@main
+              uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
               with:
                   version: "0.8.4"
                   enable-cache: true