Add CI workflows using GitHub Actions and improve module definitions

.github/dependabot.yml

@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql.yml

@@ -0,0 +1,50 @@
+name: CodeQL analysis
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+  schedule:
+    - cron: 0 0 * * 1
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: CodeQL analysis
+
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+
+    steps:
+      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            uploads.github.com:443
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841
+        with:
+          languages: ${{ matrix.language }}
+
+      - uses: github/codeql-action/autobuild@1b549b9259bda1cb5ddde3b41741a82a2d15a841
+
+      - uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841
+        with:
+          category: /language:${{matrix.language}}

.github/workflows/coverage.yml

@@ -0,0 +1,38 @@
+name: Post coverage comment
+
+on:
+    workflow_run:
+        workflows: ["Python checks"]
+        types:
+            - completed
+
+permissions:
+    contents: read
+
+jobs:
+    test:
+        name: Run tests & display coverage
+
+        runs-on: ubuntu-latest
+        if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+
+        permissions:
+            # Gives the action the necessary permissions for publishing new
+            # comments in pull requests.
+            pull-requests: write
+            # Gives the action the necessary permissions for editing existing
+            # comments (to avoid publishing multiple comments in the same PR)
+            contents: write
+            # Gives the action the necessary permissions for looking up the
+            # workflow that launched this workflow, and download the related
+            # artifact that contains the comment to be published
+            actions: read
+
+        steps:
+            # DO NOT run actions/checkout here, for security reasons
+            # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+            - name: Post comment
+              uses: py-cov-action/python-coverage-comment-action@b2eb38dd175bf053189b35f738f9207278b00925  # v3.29
+              with:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,33 @@
+name: Dependency review
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+  schedule:
+    - cron: 0 0 * * 1
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  dependency-review:
+    name: Dependency review
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+              api.github.com:443
+              api.securityscorecards.dev:443
+              github.com:443
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8