Skip to content

[MNT] Setup Github Actions and Related Package Setup Work#1

Open
RNKuhns wants to merge 23 commits into
mainfrom
actions_and_related
Open

[MNT] Setup Github Actions and Related Package Setup Work#1
RNKuhns wants to merge 23 commits into
mainfrom
actions_and_related

Conversation

@RNKuhns

@RNKuhns RNKuhns commented Jul 4, 2026

Copy link
Copy Markdown
Member

This sets up the package's github action workflows, and related tooling. This includes Code Coverage monitoring and Readthedocs.

RNKuhns added 15 commits July 4, 2026 14:23
Weekly updates with minor/patch changes grouped into a single PR per
ecosystem; major bumps stay ungrouped so each gets individual review.
Runs pre-commit/action on push to main and on pull requests, with an
explicit cache for ~/.cache/pre-commit keyed on the hash of
.pre-commit-config.yaml.
Runs pytest via an editable dev install across ubuntu/macos/windows and
Python 3.10-3.12, with fail-fast disabled so one failing combination
doesn't cancel the others.
Runs pip-audit against the resolved dependency set on push, pull
request, and a weekly schedule (to catch newly-disclosed CVEs against
unchanged code). Kept separate from test.yml's 9-way OS/Python matrix
to avoid running the same scan redundantly nine times.
Single-language Python analysis on push, pull request, and a weekly
schedule so newly-disclosed vulnerability patterns get caught against
unchanged code too.
Seeds .all-contributorsrc with the initial contributor and generates
CONTRIBUTORS.md in the standard all-contributors-cli table format. The
file is kept in sync going forward by the update-contributors workflow
(added next), which regenerates it from .all-contributorsrc using the
real CLI whenever that config changes.
Triggers when .all-contributorsrc changes on main, regenerates
CONTRIBUTORS.md via all-contributors-cli, and opens a PR authenticated
as a GitHub App (requires vars.PR_APP_ID / secrets.PR_APP_KEY to be
configured on the repo).
Two scheduled jobs: auto-update pre-commit hook revisions and open a PR
(pre-commit's rev pins aren't covered by Dependabot's pip/github-actions
ecosystems), and run OSSF Scorecard for a supply-chain security score
uploaded to code scanning.
vars.PR_APP_ID -> vars.APP_ID, secrets.PR_APP_KEY -> secrets.APP_PRIVATE_KEY,
matching the repo variable/secret names set up for the GitHub App.
actions/create-github-app-token@v3 deprecates the app-id input in
favor of client-id. Switches both workflows to read the App's Client
ID from secrets.CLIENT_ID instead of the App ID from vars.APP_ID.
Audited all workflow steps for a `name:` key; 7 steps across
security.yml, codeql.yml, weekly-maintenance.yml, and
update-contributors.yml were unnamed (checkout/setup-python/setup-node
steps), inconsistent with pre-commit.yml and test.yml which already
name every step.
- .codecov.yml: project/patch status checks target 90% coverage
  (1% leeway), posted as required PR checks (codecov/project,
  codecov/patch) and non-informational so they can block merges.
- pyproject.toml: [tool.coverage.run]/[tool.coverage.report] configure
  coverage source and a matching local fail_under = 90.
- test.yml: every matrix leg runs pytest with --cov-fail-under=90;
  coverage.xml is uploaded to Codecov from a single canonical leg
  (ubuntu-latest, Python 3.12) rather than all 15 combinations to
  avoid redundant uploads.

Requires a CODECOV_TOKEN repo secret (link the repo at codecov.io) for
the upload step to authenticate.
- .readthedocs.yaml: builds docs/conf.py with the `docs` extra installed.
- docs/conf.py, docs/index.rst: minimal Sphinx setup using
  pydata-sphinx-theme and the numpydoc extension, consistent with the
  numpydoc docstring convention already enforced via pre-commit.
- docs/Makefile, docs/make.bat: standard local build helpers; output
  goes to docs/_build, matching the ignore_path already configured for
  doc8 in pyproject.toml.
- pyproject.toml: new `docs` optional-dependency group
  (sphinx, pydata-sphinx-theme, numpydoc).

Activating the project on readthedocs.org (connecting this GitHub repo)
is a manual step and still needs to be done.
@RNKuhns RNKuhns self-assigned this Jul 4, 2026
pre-commit-ci Bot and others added 8 commits July 4, 2026 19:50
Sphinx's conf.py conventionally defines a module-level `copyright`
variable, which shadows the builtin - expected and standard practice,
not something to flag.
Regenerates requirements.txt from pyproject.toml via pip-compile,
including all optional-dependency groups (--all-extras).
Add a local pre-commit hook that regenerates requirements.txt whenever
pyproject.toml changes, and a check-requirements workflow that fails
the build if the committed requirements.txt drifts from what the
script produces. Both are scoped to pyproject.toml only, so the
script's own output (requirements.txt) can't retrigger either one.
Both scripts were chmod +x'd locally, but core.fileMode=false means
git never recorded the executable bit in the committed tree (both
were 100644). Set it directly via git update-index --chmod=+x so it's
correct regardless of that setting - fixes "permission denied" when
CI checks out generate_requirements.sh on Linux.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant