From 6648df9cf2d00e7e4121d9c651866f90fde466ba Mon Sep 17 00:00:00 2001
From: Ben Wheeler <b.j.wheeler484@gmail.com>
Date: Mon, 13 Apr 2026 11:01:59 +1000
Subject: [PATCH 1/5] test: Refactor to use private reusable-workflow

---
 .github/workflows/on-push.yaml | 24 ++----------------------
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
index 64f37b3..c17c51c 100644
--- a/.github/workflows/on-push.yaml
+++ b/.github/workflows/on-push.yaml
@@ -9,28 +9,8 @@ on:
 
 jobs:
   housekeeping:
-    runs-on: ubuntu-latest
-    container: qctrl/ci-images:python-3.11-ci
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download CI tool
-        shell: bash
-        run: |
-          curl -sSL http://ci.q-ctrl.com | bash -
-      - name: Vault Login
-        run: |
-          ./ci vault login -r ${{ secrets.VAULT_ROLE_ID }} -s ${{ secrets.VAULT_SECRET_ID }}
-      - name: Inject environment variables
-        run: |
-          /scripts/ci env prepareGitHub
-      - name: Perform housekeeping checks
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-          git config --global user.email "robot@q-ctrl.com"
-          git config --global user.name "Q-CTRL Robot"
-          /scripts/housekeeping.sh
+    uses: qctrl/reusable-workflows/.github/workflows/housekeeping.yml@workflows/poetry-pre-checks/v1
+    secrets: inherit
 
   linting:
     runs-on: ubuntu-latest

From 198e1584345e78f624617244b46014768349ef7e Mon Sep 17 00:00:00 2001
From: Ben Wheeler <b.j.wheeler484@gmail.com>
Date: Mon, 13 Apr 2026 11:04:41 +1000
Subject: [PATCH 2/5] fix

---
 .github/workflows/on-push.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
index c17c51c..579a837 100644
--- a/.github/workflows/on-push.yaml
+++ b/.github/workflows/on-push.yaml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   housekeeping:
-    uses: qctrl/reusable-workflows/.github/workflows/housekeeping.yml@workflows/poetry-pre-checks/v1
+    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yml@workflows/poetry-pre-checks/v1
     secrets: inherit
 
   linting:

From de23c6c96a90c68e246aa15b0425d989c77e40cf Mon Sep 17 00:00:00 2001
From: Ben Wheeler <b.j.wheeler484@gmail.com>
Date: Mon, 13 Apr 2026 11:05:43 +1000
Subject: [PATCH 3/5] fix

---
 .github/workflows/on-push.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
index 579a837..abcd0a4 100644
--- a/.github/workflows/on-push.yaml
+++ b/.github/workflows/on-push.yaml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   housekeeping:
-    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yml@workflows/poetry-pre-checks/v1
+    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yaml@workflows/poetry-pre-checks/v1
     secrets: inherit
 
   linting:

From 931721cd6921e8949aabd2f9fd2eae7e6823d1cd Mon Sep 17 00:00:00 2001
From: Ben Wheeler <b.j.wheeler484@gmail.com>
Date: Mon, 13 Apr 2026 11:06:57 +1000
Subject: [PATCH 4/5] test

---
 .github/workflows/on-push.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
index abcd0a4..7100df3 100644
--- a/.github/workflows/on-push.yaml
+++ b/.github/workflows/on-push.yaml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   housekeeping:
-    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yaml@workflows/poetry-pre-checks/v1
+    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yaml@master
     secrets: inherit
 
   linting:

From dd37450f4986df946fe259750ac91de0d6bd74dc Mon Sep 17 00:00:00 2001
From: Ben Wheeler <b.j.wheeler484@gmail.com>
Date: Mon, 13 Apr 2026 14:11:30 +1000
Subject: [PATCH 5/5] feat: Update public workflows to be able to pull
 reusable-workflows

---
 .github/workflows/on-pull-request.yaml |  8 ++--
 .github/workflows/on-push.yaml         | 34 ++++++++++++++---
 .github/workflows/on-release.yaml      | 53 +++++++++++++++++++++-----
 3 files changed, 76 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/on-pull-request.yaml b/.github/workflows/on-pull-request.yaml
index 1791212..816ca80 100644
--- a/.github/workflows/on-pull-request.yaml
+++ b/.github/workflows/on-pull-request.yaml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Download CI tool
         shell: bash
         run: |
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Download CI tool
       shell: bash
       run: |
@@ -54,7 +54,7 @@ jobs:
       matrix:
         python: ["3.10", "3.11", "3.12", "3.13"]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Download CI tool
       shell: bash
       run: |
@@ -72,7 +72,7 @@ jobs:
     if: github.event.pull_request.head.repo.fork == true
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Build Sphinx Image
       run: |
         docker build -f ./docs/Dockerfile
diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
index 7100df3..1b49114 100644
--- a/.github/workflows/on-push.yaml
+++ b/.github/workflows/on-push.yaml
@@ -9,14 +9,38 @@ on:
 
 jobs:
   housekeeping:
-    uses: qctrl/reusable-workflows/.github/workflows/poetry-pre-checks.yaml@master
-    secrets: inherit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          repositories: reusable-workflows
+      - name: Checkout reusable workflows
+        uses: actions/checkout@v6
+        with:
+          repository: qctrl/reusable-workflows
+          token: ${{ steps.app-token.outputs.token }}
+          path: .github/reusable-workflows
+          persist-credentials: false
+          ref: actions/poetry/housekeeping/v2
+      - name: Run housekeeping
+        uses: ./.github/reusable-workflows/.github/actions/poetry/housekeeping
+        with:
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+      - name: Cleanup reusable workflows checkout
+        if: always()
+        run: rm -rf .github/reusable-workflows
 
   linting:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Download CI tool
         shell: bash
         run: |
@@ -39,7 +63,7 @@ jobs:
       matrix:
         python: ["3.10", "3.11", "3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Download CI tool
         shell: bash
         run: |
@@ -59,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Download CI tool
         shell: bash
         run: |
diff --git a/.github/workflows/on-release.yaml b/.github/workflows/on-release.yaml
index 26a1832..ac2e7f1 100644
--- a/.github/workflows/on-release.yaml
+++ b/.github/workflows/on-release.yaml
@@ -9,9 +9,32 @@ jobs:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          repositories: reusable-workflows
+      - name: Checkout reusable workflows
+        uses: actions/checkout@v6
+        with:
+          repository: qctrl/reusable-workflows
+          token: ${{ steps.app-token.outputs.token }}
+          path: .github/reusable-workflows
+          persist-credentials: false
+          ref: actions/poetry/housekeeping/v2
+      - name: Run housekeeping
+        uses: ./.github/reusable-workflows/.github/actions/poetry/housekeeping
+        with:
+          vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
+          vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+      - name: Cleanup reusable workflows checkout
+        if: always()
+        run: rm -rf .github/reusable-workflows
       - name: Download CI tool
         shell: bash
         run: |
@@ -22,14 +45,6 @@ jobs:
       - name: Inject environment variables
         run: |
           ./ci env prepareGitHub
-      - name: Update version in code
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-          git config --global user.email "robot@q-ctrl.com"
-          git config --global user.name "Q-CTRL Robot"
-          /scripts/housekeeping.sh
       - name: Publish publicly
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -43,10 +58,28 @@ jobs:
     runs-on: ubuntu-latest
     container: qctrl/ci-images:python-3.11-ci
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          repositories: reusable-workflows
+      - name: Checkout reusable workflows
+        uses: actions/checkout@v6
+        with:
+          repository: qctrl/reusable-workflows
+          token: ${{ steps.app-token.outputs.token }}
+          path: .github/reusable-workflows
+          persist-credentials: false
+          ref: actions/docs/update-docs/v1
       - name: Update docs repo
-        uses: qctrl/reusable-workflows/.github/actions/docs/update-docs@master
+        uses: ./.github/reusable-workflows/.github/actions/docs/update-docs
         with:
           source_branch: master
           target_branch: master
           vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
           vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
+      - name: Cleanup reusable workflows checkout
+        if: always()
+        run: rm -rf .github/reusable-workflows