diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 375ff9ee..2ac92f38 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,6 +7,7 @@ on:
     branches:
       - "main"
   pull_request:
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -17,10 +18,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out sources
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Set up Python 3.9
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
           python-version: "3.9"
           cache: 'pip'  # cache pip dependencies
@@ -41,7 +42,7 @@ jobs:
 
       # See https://github.com/actions/upload-artifact
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages
           path: dist/
diff --git a/.github/workflows/checks.yml b/.github/workflows/check_format.yml
similarity index 61%
rename from .github/workflows/checks.yml
rename to .github/workflows/check_format.yml
index 96845349..4367a434 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/check_format.yml
@@ -1,19 +1,13 @@
 # Run some code checks with GitHub Actions.
 
-name: Code checks
+name: Code formatting checks
 
 on:
   push:
     branches:
       - "main"
   pull_request:
-  pull_request_target:
-
-permissions:
-  contents: read
-  # Allow 1Password/check-signed-commits-action to leave comments on
-  # pull requests.
-  pull-requests: write
+  workflow_dispatch:
 
 jobs:
 
@@ -21,22 +15,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out sources
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # since we need to diff against origin/main.
 
-      # https://github.com/marketplace/actions/check-signed-commits-in-pr
-      # runs on pull_request_target and pull_request events, but
-      # pull_request_target is preferred because of the ability to
-      # leave comments on external PRs created from forks.
-      - name: Check that commits are signed
-        if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
-        uses: 1Password/check-signed-commits-action@v1
-
-      - name: Set up Python 3.9
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          python-version: "3.9"
+          python-version: "3.x"
           cache: 'pip'  # cache pip dependencies
           cache-dependency-path: pyproject.toml
 
diff --git a/.github/workflows/check_signed_commits.yml b/.github/workflows/check_signed_commits.yml
new file mode 100644
index 00000000..7d54c32a
--- /dev/null
+++ b/.github/workflows/check_signed_commits.yml
@@ -0,0 +1,32 @@
+# FABRIC policy requires that code commits are signed with the
+# committer's GPG key.
+#
+# https://github.com/marketplace/actions/check-signed-commits-in-pr
+# runs on pull_request_target events.
+
+name: Check signed commits in PR
+on: pull_request_target
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      # Allow 1Password/check-signed-commits-action to leave comments
+      # on pull requests.
+      pull-requests: write
+
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch (`git push --force-with-lease`).
+
+            If you're new to commit signing, follow the steps below to set up commit signing with `gpg`:
+
+            1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
+            2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)
+            3. [Configure `git` to use your GPG key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4c334483..0583733f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -37,12 +37,12 @@ jobs:
 
     steps:
       - name: Check out sources
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: "3.x"
+          python-version: "3.9"
           cache: 'pip'
           cache-dependency-path: pyproject.toml
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index aac1d673..2f124119 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,6 +9,7 @@ on:
     branches:
       - "main"
   pull_request:
+  workflow_dispatch:
   workflow_call:
 
 jobs:
@@ -22,18 +23,21 @@ jobs:
           - "3.10"
           - "3.11"
         os:
+          # See https://github.com/actions/runner-images for available
+          # runners.
           - "ubuntu-22.04"
           - "windows-2022"
-          - "macos-11"
+          - "macos-13" # Intel
+          - "macos-14" # ARM
 
     runs-on: ${{ matrix.os }}
 
     steps:
     - name: Check out sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'  # caching pip dependencies
@@ -42,7 +46,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install wheel coveralls
+        python -m pip install wheel
 
     # # TODO: we can't use flake8 right now, because there isn't a
     # # version of flake8 that can use pycodestyle==2.6.0, and fim has
@@ -59,24 +63,23 @@ jobs:
         python -m pip install .[test]
         python -m coverage run -m pytest
         python -m coverage report
-
+        # Generate LCOV format coverage data for coveralls.
+        python -m coverage lcov -o coverage.lcov
+ 
     - name: Send coverage data to coveralls.io
-      run: |
-        python -m coveralls --service=github
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        COVERALLS_FLAG_NAME: ${{ matrix.python-version }}
-        COVERALLS_PARALLEL: true
+      uses: coverallsapp/github-action@v2
+      with:
+        flag-name: run-${{ join(matrix.*, '-') }}
+        file: coverage.lcov
+        parallel: true
 
   finalize:
     name: finalize
     needs: test
     runs-on: ubuntu-latest
-    container: python:3-slim
+    if: ${{ always() }}
     steps:
       - name: Indicate completion to coveralls.io
-        run: |
-          python -m pip --no-cache-dir install --upgrade coveralls
-          python -m coveralls --service=github --finish
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: coverallsapp/github-action@v2
+        with:
+          parallel-finished: true
diff --git a/.gitignore b/.gitignore
index a05a4036..710a068e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -103,9 +103,9 @@ celerybeat.pid
 
 # Environments
 .env
-.venv
+.venv*
 env/
-venv/
+venv*
 ENV/
 env.bak/
 venv.bak/