[MNT] Setup Github Actions and Related Package Setup Work#1
Open
RNKuhns wants to merge 23 commits into
Open
Conversation
Weekly updates with minor/patch changes grouped into a single PR per ecosystem; major bumps stay ungrouped so each gets individual review.
Runs pre-commit/action on push to main and on pull requests, with an explicit cache for ~/.cache/pre-commit keyed on the hash of .pre-commit-config.yaml.
Runs pytest via an editable dev install across ubuntu/macos/windows and Python 3.10-3.12, with fail-fast disabled so one failing combination doesn't cancel the others.
Runs pip-audit against the resolved dependency set on push, pull request, and a weekly schedule (to catch newly-disclosed CVEs against unchanged code). Kept separate from test.yml's 9-way OS/Python matrix to avoid running the same scan redundantly nine times.
Single-language Python analysis on push, pull request, and a weekly schedule so newly-disclosed vulnerability patterns get caught against unchanged code too.
Seeds .all-contributorsrc with the initial contributor and generates CONTRIBUTORS.md in the standard all-contributors-cli table format. The file is kept in sync going forward by the update-contributors workflow (added next), which regenerates it from .all-contributorsrc using the real CLI whenever that config changes.
Triggers when .all-contributorsrc changes on main, regenerates CONTRIBUTORS.md via all-contributors-cli, and opens a PR authenticated as a GitHub App (requires vars.PR_APP_ID / secrets.PR_APP_KEY to be configured on the repo).
Two scheduled jobs: auto-update pre-commit hook revisions and open a PR (pre-commit's rev pins aren't covered by Dependabot's pip/github-actions ecosystems), and run OSSF Scorecard for a supply-chain security score uploaded to code scanning.
vars.PR_APP_ID -> vars.APP_ID, secrets.PR_APP_KEY -> secrets.APP_PRIVATE_KEY, matching the repo variable/secret names set up for the GitHub App.
actions/create-github-app-token@v3 deprecates the app-id input in favor of client-id. Switches both workflows to read the App's Client ID from secrets.CLIENT_ID instead of the App ID from vars.APP_ID.
Audited all workflow steps for a `name:` key; 7 steps across security.yml, codeql.yml, weekly-maintenance.yml, and update-contributors.yml were unnamed (checkout/setup-python/setup-node steps), inconsistent with pre-commit.yml and test.yml which already name every step.
- .codecov.yml: project/patch status checks target 90% coverage (1% leeway), posted as required PR checks (codecov/project, codecov/patch) and non-informational so they can block merges. - pyproject.toml: [tool.coverage.run]/[tool.coverage.report] configure coverage source and a matching local fail_under = 90. - test.yml: every matrix leg runs pytest with --cov-fail-under=90; coverage.xml is uploaded to Codecov from a single canonical leg (ubuntu-latest, Python 3.12) rather than all 15 combinations to avoid redundant uploads. Requires a CODECOV_TOKEN repo secret (link the repo at codecov.io) for the upload step to authenticate.
- .readthedocs.yaml: builds docs/conf.py with the `docs` extra installed. - docs/conf.py, docs/index.rst: minimal Sphinx setup using pydata-sphinx-theme and the numpydoc extension, consistent with the numpydoc docstring convention already enforced via pre-commit. - docs/Makefile, docs/make.bat: standard local build helpers; output goes to docs/_build, matching the ignore_path already configured for doc8 in pyproject.toml. - pyproject.toml: new `docs` optional-dependency group (sphinx, pydata-sphinx-theme, numpydoc). Activating the project on readthedocs.org (connecting this GitHub repo) is a manual step and still needs to be done.
for more information, see https://pre-commit.ci
Sphinx's conf.py conventionally defines a module-level `copyright` variable, which shadows the builtin - expected and standard practice, not something to flag.
Regenerates requirements.txt from pyproject.toml via pip-compile, including all optional-dependency groups (--all-extras).
…/call-report into actions_and_related
Add a local pre-commit hook that regenerates requirements.txt whenever pyproject.toml changes, and a check-requirements workflow that fails the build if the committed requirements.txt drifts from what the script produces. Both are scoped to pyproject.toml only, so the script's own output (requirements.txt) can't retrigger either one.
Both scripts were chmod +x'd locally, but core.fileMode=false means git never recorded the executable bit in the committed tree (both were 100644). Set it directly via git update-index --chmod=+x so it's correct regardless of that setting - fixes "permission denied" when CI checks out generate_requirements.sh on Linux.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This sets up the package's github action workflows, and related tooling. This includes Code Coverage monitoring and Readthedocs.