Workflows: harden, update tooling (#206)

* workflows/docs: split build and deploy, update dependencies, restrict tag

* workflows/release: quote expansions, upgrade dependencies, retrict tag

* workflows/poetry: upgrade poetry, remove credentials persistence

* workflows/release: split build, release creation, and deployment into separate jobs

* workflows/release: remove template expansion in shell script

.github/workflows/docs.yml

@@ -1,43 +1,36 @@
 name: Deploy documentation
 
 on:
-  # Runs on version tags pushes
   push:
     tags:
-      - 'v*'
+      - 'v[0-9]+.[0-9]+.[0-9]+'
 
   # Runs on manual triggers
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
   group: "pages"
   cancel-in-progress: false
 
 jobs:
-  deploy:
+  build:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Poetry
         uses: abatilo/actions-poetry@v2
         with:
-          poetry-version: '1.7.1'
+          poetry-version: '1.8.3'
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.12'
           cache: "poetry"
       - name: Check Poetry lock file consistency
         run: poetry check --lock
@@ -53,6 +46,17 @@ jobs:
         uses: actions/upload-pages-artifact@v3
         with:
           path: 'docs/_build'
+
+  deploy:
+    needs: build
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4

.github/workflows/poetry.yml

@@ -15,10 +15,12 @@ jobs:
     strategy:
       matrix:
         python-version: ['3.9', '3.10', '3.11', '3.12']
-        poetry-version: [1.7.1]
+        poetry-version: [1.8.3]
         os: ["ubuntu-latest", "windows-latest"]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install poetry
         uses: abatilo/actions-poetry@v2
         with:
@@ -65,7 +67,7 @@ jobs:
           poetry run python examples/number_partition.py
         if: startsWith(matrix.os, 'windows')
       - name: Install all dependencies
-        run: poetry install --sync --extras test
+        run: poetry install --sync --all-extras
       - name: Check version numbers consistency
         run: poetry run poe version_check
         if: startsWith(matrix.os, 'ubuntu')

.github/workflows/release.yml

@@ -2,42 +2,65 @@ name: Release Artifacts
 on:
   push:
     tags:
-      - 'v*'
+      - 'v[0-9]+.[0-9]+.[0-9]+'
 jobs:
-  wheel-build:
-    name: Build and Publish Release Artifacts
-    runs-on: ubuntu-latest
+  build:
+    name: Build release artifacts
     environment: release
-    permissions:
-      id-token: write
-      contents: write
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.12'
       - name: Install Poetry
         uses: abatilo/actions-poetry@v2
         with:
-          poetry-version: '1.7.1'
+          poetry-version: '1.8.3'
       - name: Install release dependencies
         run: pip install -U typer mistletoe
       - name: Build packages
         run: |
           poetry build
         shell: bash
+      - name: Extract changelog
+        run: |
+          python scripts/extract-changelog.py "${TAG_NAME}" | tee RELEASE_CHANGELOG.txt
+        shell: bash
+        env:
+          TAG_NAME: ${{ github.ref_name }}
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
-          path: ./dist/qiskit*
-      - name: Extract changelog
-        run: python scripts/extract-changelog.py ${{ github.ref_name }} | tee ${{ github.workspace }}-CHANGELOG.txt
+          path: |
+            ./dist/qiskit*
+            RELEASE_CHANGELOG.txt
+
+  create_release:
+    name: Create GitHub release
+    needs: build
+    environment: release
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
       - name: Create Github release
         uses: softprops/action-gh-release@v1
         with:
           files: ./dist/qiskit*
-          body_path: ${{ github.workspace }}-CHANGELOG.txt
+          body_path: "RELEASE_CHANGELOG.txt"
+
+  deploy:
+    name: Deploy to PyPI
+    needs: build
+    environment: release
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1