feat(ci): switch to common CI

.github/workflows/ci.yml

@@ -1,53 +1,20 @@
 name: CI
 on:
-  push:
-    branches: [ main ]
   pull_request:
     types: [opened, synchronize, reopened]
     paths-ignore:
-      - 'README.md'
-      - 'LICENSE.md'
-      - '.gitignore'
-      - 'CODEOWNERS'
-      - 'renovate.json'
-      - '.github/'
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - ".github/CODEOWNERS"
+      - ".github/renovate.json"
+      - ".github/dependabot.yml"
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4.2.2
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry.yml@main
     with:
-          fetch-depth: 0
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-      - name: Setup Poetry
-        uses: abatilo/actions-poetry@v3
-      - name: Install dependencies
-        run: poetry install
-      - name: Lint
-        run: poetry run ./tools/lint.sh
-      - name: Unit Test
-        run: |
-          poetry run coverage run -m pytest -v --junitxml=testresults.xml
-          poetry run coverage xml
-          sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      python-version: 3.11
+    secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - name: Snyk Vulnerability Scan
-        uses: snyk/actions/python-3.10@master
-        continue-on-error: true # To make sure that SARIF upload gets called
-        env:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk.sarif
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: snyk.sarif