feat: add self-dogfooding via released scripts

- Add .github/scripts/ seeded from scripts/ — template-ci.yml now runs
  quality gates from these released copies instead of the development source
- Add auto-release.yml: auto-creates a patch release when scripts/ changes
  land on main
- Add self-update.yml: nightly check downloads released scripts into
  .github/scripts/ and opens a PR when a new release is detected
- Update template-ci.yml and composite action to reference .github/scripts/
- Document the dogfooding model in PLAN.md

This ensures the template validates itself with the same artifacts it ships
to downstream repos, catching regressions before they propagate.

Author: NWarila

.github/actions/setup-python/action.yml

@@ -27,12 +27,12 @@ runs:
     - name: Create venv and install package (Linux/macOS)
       if: runner.os != 'Windows'
       shell: bash
-      run: bash scripts/setup.sh
+      run: bash .github/scripts/setup.sh
 
     - name: Create venv and install package (Windows)
       if: runner.os == 'Windows'
       shell: pwsh
-      run: .\scripts\setup.ps1
+      run: .\.github\scripts\setup.ps1
 
     - name: Activate venv for subsequent steps (Linux/macOS)
       if: runner.os != 'Windows'

.github/scripts/.version

@@ -0,0 +1 @@
+none

.github/scripts/check_lint.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# Managed by nwarila/python-template — do not edit manually.
+# Source: https://github.com/nwarila/python-template
+
+from __future__ import annotations
+
+import argparse
+import os
+import subprocess
+import sys
+import tomllib
+from pathlib import Path
+from typing import Any
+
+
+def _load_pyproject() -> dict[str, Any]:
+    path = Path("pyproject.toml")
+    if not path.exists():
+        return {}
+    with open(path, "rb") as f:
+        return tomllib.load(f)
+
+
+def _tool(name: str) -> str:
+    exe_dir = Path(sys.executable).resolve().parent
+    candidates = [exe_dir / name, exe_dir / f"{name}.exe"]
+    for candidate in candidates:
+        if candidate.exists():
+            return str(candidate)
+    return name
+
+
+def _run(cmd: list[str], label: str) -> int:
+    print(f"\n--- {label} ---")
+    result = subprocess.run(cmd)
+    if result.returncode != 0 and os.environ.get("GITHUB_ACTIONS") == "true":
+        print(f"::error::{label} failed with exit code {result.returncode}")
+    return result.returncode
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Run ruff lint and format checks.")
+    parser.add_argument("--fix", action="store_true", help="Auto-fix lint issues and reformat")
+    parser.add_argument("--paths", nargs="+", help="Override source paths to check")
+    args = parser.parse_args()
+
+    pyproject = _load_pyproject()
+    paths = args.paths or pyproject.get("tool", {}).get("ruff", {}).get("src", ["src"])
+
+    if args.fix:
+        rc1 = _run([_tool("ruff"), "check", "--fix", *paths], "Ruff Fix")
+        rc2 = _run([_tool("ruff"), "format", *paths], "Ruff Format")
+    else:
+        rc1 = _run([_tool("ruff"), "check", *paths], "Ruff Check")
+        rc2 = _run([_tool("ruff"), "format", "--check", *paths], "Ruff Format Check")
+
+    return 1 if (rc1 or rc2) else 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/check_package.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+# Managed by nwarila/python-template — do not edit manually.
+# Source: https://github.com/nwarila/python-template
+
+from __future__ import annotations
+
+import argparse
+import glob
+import os
+import shutil
+import subprocess
+import sys
+import tomllib
+from pathlib import Path
+from typing import Any
+
+
+def _load_pyproject() -> dict[str, Any]:
+    path = Path("pyproject.toml")
+    if not path.exists():
+        return {}
+    with open(path, "rb") as f:
+        return tomllib.load(f)
+
+
+def _tool(name: str) -> str:
+    exe_dir = Path(sys.executable).resolve().parent
+    candidates = [exe_dir / name, exe_dir / f"{name}.exe"]
+    for candidate in candidates:
+        if candidate.exists():
+            return str(candidate)
+    return name
+
+
+def _run(cmd: list[str], label: str) -> int:
+    print(f"\n--- {label} ---")
+    result = subprocess.run(cmd)
+    if result.returncode != 0 and os.environ.get("GITHUB_ACTIONS") == "true":
+        print(f"::error::{label} failed with exit code {result.returncode}")
+    return result.returncode
+
+
+def _cleanup() -> None:
+    shutil.rmtree("dist", ignore_errors=True)
+    for egg_dir in glob.glob("*.egg-info"):
+        shutil.rmtree(egg_dir, ignore_errors=True)
+    for egg_dir in glob.glob("src/*.egg-info"):
+        shutil.rmtree(egg_dir, ignore_errors=True)
+
+
+def main() -> int:
+    argparse.ArgumentParser(description="Validate package build, metadata, and entry points.").parse_args()
+
+    pyproject = _load_pyproject()
+
+    if "build-system" not in pyproject:
+        print("No [build-system] found, skipping package check")
+        return 0
+
+    entry_points = pyproject.get("project", {}).get("scripts", {})
+
+    try:
+        rc = _run([_tool("validate-pyproject"), "pyproject.toml"], "Validate pyproject.toml")
+        if rc != 0:
+            return rc
+
+        rc = _run([sys.executable, "-m", "build"], "Build sdist+wheel")
+        if rc != 0:
+            return rc
+
+        dist_files = glob.glob("dist/*")
+        if not dist_files:
+            is_ci = os.environ.get("GITHUB_ACTIONS") == "true"
+            print("::error::No dist files produced" if is_ci else "ERROR: No dist files produced")
+            return 1
+
+        rc = _run([_tool("twine"), "check", "--strict", *dist_files], "Twine Check")
+        if rc != 0:
+            return rc
+
+        for name in entry_points:
+            tool_path = shutil.which(name) or _tool(name)
+            if shutil.which(name) is None and tool_path == name:
+                print(f"  Entry point '{name}' not found on PATH, skipping smoke test")
+                continue
+            rc = _run([tool_path, "--help"], f"Entry point: {name} --help")
+            if rc != 0:
+                return rc
+
+    finally:
+        _cleanup()
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/check_security.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+# Managed by nwarila/python-template — do not edit manually.
+# Source: https://github.com/nwarila/python-template
+
+from __future__ import annotations
+
+import argparse
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+def _tool(name: str) -> str:
+    exe_dir = Path(sys.executable).resolve().parent
+    candidates = [exe_dir / name, exe_dir / f"{name}.exe"]
+    for candidate in candidates:
+        if candidate.exists():
+            return str(candidate)
+    return name
+
+
+def _run(cmd: list[str], label: str) -> int:
+    print(f"\n--- {label} ---")
+    result = subprocess.run(cmd)
+    if result.returncode != 0 and os.environ.get("GITHUB_ACTIONS") == "true":
+        print(f"::error::{label} failed with exit code {result.returncode}")
+    return result.returncode
+
+
+def main() -> int:
+    argparse.ArgumentParser(description="Run pip-audit for dependency vulnerability scanning.").parse_args()
+
+    return _run([_tool("pip-audit"), "--skip-editable"], "Pip-Audit")
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/check_spelling.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+# Managed by nwarila/python-template — do not edit manually.
+# Source: https://github.com/nwarila/python-template
+
+from __future__ import annotations
+
+import argparse
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+def _tool(name: str) -> str:
+    exe_dir = Path(sys.executable).resolve().parent
+    candidates = [exe_dir / name, exe_dir / f"{name}.exe"]
+    for candidate in candidates:
+        if candidate.exists():
+            return str(candidate)
+    return name
+
+
+def _run(cmd: list[str], label: str) -> int:
+    print(f"\n--- {label} ---")
+    result = subprocess.run(cmd)
+    if result.returncode != 0 and os.environ.get("GITHUB_ACTIONS") == "true":
+        print(f"::error::{label} failed with exit code {result.returncode}")
+    return result.returncode
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Run codespell for typo detection.")
+    parser.add_argument("--fix", action="store_true", help="Auto-fix spelling mistakes")
+    args = parser.parse_args()
+
+    cmd = [_tool("codespell")]
+    if args.fix:
+        cmd.append("--write-changes")
+
+    return _run(cmd, "Codespell")
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/check_tests.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+# Managed by nwarila/python-template — do not edit manually.
+# Source: https://github.com/nwarila/python-template
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+def _tool(name: str) -> str:
+    exe_dir = Path(sys.executable).resolve().parent
+    candidates = [exe_dir / name, exe_dir / f"{name}.exe"]
+    for candidate in candidates:
+        if candidate.exists():
+            return str(candidate)
+    return name
+
+
+def _run(cmd: list[str], label: str) -> int:
+    print(f"\n--- {label} ---")
+    result = subprocess.run(cmd)
+    if result.returncode != 0 and os.environ.get("GITHUB_ACTIONS") == "true":
+        print(f"::error::{label} failed with exit code {result.returncode}")
+    return result.returncode
+
+
+def _write_coverage_summary() -> None:
+    coverage_path = Path("coverage.json")
+    summary_path = os.environ.get("GITHUB_STEP_SUMMARY")
+    if not coverage_path.exists() or not summary_path:
+        return
+
+    with open(coverage_path) as f:
+        data = json.load(f)
+
+    lines = [
+        "## Coverage Summary",
+        "",
+        "| Module | Statements | Missed | Coverage |",
+        "|--------|-----------|--------|----------|",
+    ]
+
+    files = data.get("files", {})
+    for module, info in sorted(files.items()):
+        summary = info.get("summary", {})
+        stmts = summary.get("num_statements", 0)
+        missed = summary.get("missing_lines", 0)
+        covered = summary.get("percent_covered", 0.0)
+        lines.append(f"| {module} | {stmts} | {missed} | {covered:.1f}% |")
+
+    totals = data.get("totals", {})
+    total_stmts = totals.get("num_statements", 0)
+    total_missed = totals.get("missing_lines", 0)
+    total_covered = totals.get("percent_covered", 0.0)
+    lines.append(f"| **Total** | **{total_stmts}** | **{total_missed}** | **{total_covered:.1f}%** |")
+
+    with open(summary_path, "a") as f:
+        f.write("\n".join(lines) + "\n")
+
+    coverage_path.unlink()
+
+
+def main() -> int:
+    argparse.ArgumentParser(description="Run pytest with coverage.").parse_args()
+
+    is_ci = os.environ.get("GITHUB_ACTIONS") == "true"
+
+    cmd = [_tool("pytest")]
+    if is_ci:
+        cmd.append("--cov-report=json:coverage.json")
+
+    rc = _run(cmd, "Pytest")
+
+    if is_ci:
+        _write_coverage_summary()
+
+    return rc
+
+
+if __name__ == "__main__":
+    sys.exit(main())