diff --git a/.github/CONFIG.md b/.github/CONFIG.md index 457eb252..b7db081a 100644 --- a/.github/CONFIG.md +++ b/.github/CONFIG.md @@ -3,18 +3,15 @@ This document describes the secrets used by the Rhiza-provided GitHub Actions workflows (`.github/workflows/rhiza_*.yml`) and how to configure them. -## PAT_TOKEN (template sync) +## PAT_TOKEN -The sync workflow (`.github/workflows/rhiza_sync.yml`) keeps your repository up to date with the -upstream Rhiza template. It commits the synced files directly to a branch or opens a pull request. +Some workflows may need to push changes to files under `.github/workflows/`. The +automatic `github.token` **cannot** do that — GitHub rejects such pushes unless +the token carries the `workflow` scope. If you need it, create a Personal Access +Token (PAT) with the `workflow` scope and store it as a repository secret named +`PAT_TOKEN`. -By default the workflow authenticates with the automatic `github.token`. That token **cannot push -changes to files under `.github/workflows/`** — GitHub rejects such pushes unless the token has the -`workflow` scope. Since template syncs regularly update workflow files, you should configure a -Personal Access Token (PAT) with that scope and store it as a repository secret named `PAT_TOKEN`. - -If `PAT_TOKEN` is not configured, the workflow falls back to `github.token` and prints a warning. -Syncs that touch only non-workflow files will still succeed. +If `PAT_TOKEN` is not configured, workflows fall back to `github.token`. ### Creating the token diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 47c9ebcd..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,30 +0,0 @@ -## Description - - - -## Related Issue - - - -Closes # - -## Type of Change - - - -- [ ] Bug fix (non-breaking change that fixes an issue) -- [ ] New feature (non-breaking change that adds functionality) -- [ ] Breaking change (fix or feature that causes existing functionality to change) -- [ ] Documentation update - -## Checklist - - - -- [ ] I have run `make fmt` and my code passes the linter -- [ ] I have run `make test` and all tests pass -- [ ] I have run `make deptry` and there are no dependency issues -- [ ] I have added or updated tests that cover my changes -- [ ] I have updated documentation if necessary -- [ ] `CHANGELOG.md` entry added (or not needed for this change) -- [ ] My commit messages follow the [Conventional Commits](https://www.conventionalcommits.org/) format diff --git a/.github/rulesets/main-branch-protection.json b/.github/rulesets/main-branch-protection.json index c1d80cbb..3511390a 100644 --- a/.github/rulesets/main-branch-protection.json +++ b/.github/rulesets/main-branch-protection.json @@ -27,12 +27,12 @@ "parameters": { "strict_required_status_checks_policy": false, "required_status_checks": [ - { "context": "Pre-commit hooks" }, - { "context": "validation" }, - { "context": "Check dependencies with deptry" }, - { "context": "docs-coverage" }, - { "context": "Security scanning" }, - { "context": "License compliance scan" } + { "context": "Pre-commit hooks", "integration_id": 15368 }, + { "context": "Check dependencies with deptry", "integration_id": 15368 }, + { "context": "docs-coverage", "integration_id": 15368 }, + { "context": "Security scanning", "integration_id": 15368 }, + { "context": "License compliance scan", "integration_id": 15368 }, + { "context": "CI gate", "integration_id": 15368 } ] } } diff --git a/.github/rulesets/tag-protection.json b/.github/rulesets/tag-protection.json new file mode 100644 index 00000000..1c61dac9 --- /dev/null +++ b/.github/rulesets/tag-protection.json @@ -0,0 +1,24 @@ +{ + "name": "version-tag-protection", + "target": "tag", + "enforcement": "active", + "conditions": { + "ref_name": { + "include": ["refs/tags/v*"], + "exclude": [] + } + }, + "rules": [ + { "type": "creation" }, + { "type": "update" }, + { "type": "deletion" }, + { "type": "non_fast_forward" } + ], + "bypass_actors": [ + { + "actor_type": "RepositoryRole", + "actor_id": 5, + "bypass_mode": "always" + } + ] +} diff --git a/.github/workflows/rhiza_benchmark.yml b/.github/workflows/rhiza_benchmark.yml index 5eedff11..40a7b67c 100644 --- a/.github/workflows/rhiza_benchmark.yml +++ b/.github/workflows/rhiza_benchmark.yml @@ -20,5 +20,5 @@ on: jobs: benchmark: - uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v1.2.0 secrets: inherit diff --git a/.github/workflows/rhiza_book.yml b/.github/workflows/rhiza_book.yml index 65bfb542..937f38b2 100644 --- a/.github/workflows/rhiza_book.yml +++ b/.github/workflows/rhiza_book.yml @@ -29,7 +29,7 @@ on: jobs: book: - uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v1.2.0 secrets: inherit permissions: contents: read diff --git a/.github/workflows/rhiza_ci.yml b/.github/workflows/rhiza_ci.yml index 1280bf18..f6312268 100644 --- a/.github/workflows/rhiza_ci.yml +++ b/.github/workflows/rhiza_ci.yml @@ -26,5 +26,5 @@ on: jobs: ci: - uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v1.2.0 secrets: inherit diff --git a/.github/workflows/rhiza_codeql.yml b/.github/workflows/rhiza_codeql.yml index fd608b27..a59eb698 100644 --- a/.github/workflows/rhiza_codeql.yml +++ b/.github/workflows/rhiza_codeql.yml @@ -39,7 +39,7 @@ on: jobs: codeql: - uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v1.2.0 secrets: inherit permissions: security-events: write # Upload CodeQL results to code scanning diff --git a/.github/workflows/rhiza_fuzzing.yml b/.github/workflows/rhiza_fuzzing.yml index b396d4af..984eb521 100644 --- a/.github/workflows/rhiza_fuzzing.yml +++ b/.github/workflows/rhiza_fuzzing.yml @@ -34,7 +34,7 @@ permissions: jobs: fuzzing: - uses: jebel-quant/rhiza/.github/workflows/rhiza_fuzzing.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_fuzzing.yml@v1.2.0 secrets: inherit permissions: contents: read diff --git a/.github/workflows/rhiza_marimo.yml b/.github/workflows/rhiza_marimo.yml index 98f46f25..682498d6 100644 --- a/.github/workflows/rhiza_marimo.yml +++ b/.github/workflows/rhiza_marimo.yml @@ -28,5 +28,5 @@ on: jobs: marimo: - uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v1.2.0 secrets: inherit diff --git a/.github/workflows/rhiza_mutation.yml b/.github/workflows/rhiza_mutation.yml index 9c2b6cf8..f2c3b05f 100644 --- a/.github/workflows/rhiza_mutation.yml +++ b/.github/workflows/rhiza_mutation.yml @@ -42,7 +42,7 @@ jobs: # this repo sets the `MUTATION_ENABLED` variable to 'true'. Gating here in # the caller keeps it optional regardless of the pinned reusable workflow. if: ${{ vars.MUTATION_ENABLED == 'true' }} - uses: jebel-quant/rhiza/.github/workflows/rhiza_mutation.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_mutation.yml@v1.2.0 secrets: inherit permissions: contents: read diff --git a/.github/workflows/rhiza_paper.yml b/.github/workflows/rhiza_paper.yml index 4248bb97..8db44821 100644 --- a/.github/workflows/rhiza_paper.yml +++ b/.github/workflows/rhiza_paper.yml @@ -28,7 +28,7 @@ on: jobs: paper: - uses: jebel-quant/rhiza/.github/workflows/rhiza_paper.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_paper.yml@v1.2.0 secrets: inherit permissions: contents: write diff --git a/.github/workflows/rhiza_release.yml b/.github/workflows/rhiza_release.yml index f82a5b43..f3245258 100644 --- a/.github/workflows/rhiza_release.yml +++ b/.github/workflows/rhiza_release.yml @@ -26,9 +26,10 @@ # 7. 🐳 Publish Devcontainer - Build and publish devcontainer image (conditional) # 8. ✅ Finalize Release - Publish the GitHub release with links # -# 📄 CHANGELOG: not updated here. The rhiza-tools `bump` command folds a freshly -# generated CHANGELOG.md into the version-bump commit (git-cliff pre-commit hook), -# so the tagged commit already carries the changelog — no separate post-tag commit. +# 📄 CHANGELOG: not updated here. The release process (rhiza-claude `/release`) +# folds a freshly generated CHANGELOG.md into the version-bump commit before the +# tag is pushed, so the tagged commit already carries the changelog — no separate +# post-tag commit. # # 📦 SBOM Generation: # - Generated using CycloneDX format (industry standard for software supply chain security) @@ -221,7 +222,7 @@ jobs: version: "0.11.16" - name: Configure git auth for private packages - uses: jebel-quant/rhiza/.github/actions/configure-git-auth@v1.1.3 + uses: jebel-quant/rhiza/.github/actions/configure-git-auth@v1.2.0 with: token: ${{ secrets.GH_PAT }} diff --git a/.github/workflows/rhiza_scorecard.yml b/.github/workflows/rhiza_scorecard.yml index 91c3bf7e..1e477411 100644 --- a/.github/workflows/rhiza_scorecard.yml +++ b/.github/workflows/rhiza_scorecard.yml @@ -36,7 +36,7 @@ permissions: read-all jobs: scorecard: - uses: jebel-quant/rhiza/.github/workflows/rhiza_scorecard.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_scorecard.yml@v1.2.0 secrets: inherit permissions: security-events: write # Upload the SARIF results to code scanning diff --git a/.github/workflows/rhiza_sync.yml b/.github/workflows/rhiza_sync.yml deleted file mode 100644 index 19b868d9..00000000 --- a/.github/workflows/rhiza_sync.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: (RHIZA) SYNC -# Synchronizes the repository with its rhiza template. -# - On Renovate/rhiza branch push: auto-commits synced files directly to the branch. -# - On schedule/dispatch: opens a pull request with the synced changes. -# -# IMPORTANT: A PAT with 'workflow' scope (PAT_TOKEN) is required when workflow -# files are modified. See .rhiza/docs/TOKEN_SETUP.md for setup instructions. - -permissions: - contents: read - -on: - push: - branches: - - 'renovate/jebel-quant-rhiza-**' - - 'rhiza/**' - paths: - - '.rhiza/template.yml' - schedule: - - cron: '0 0 * * 1' # Weekly on Monday - workflow_dispatch: - inputs: - create-pr: - description: "Create a pull request" - type: boolean - default: true - -jobs: - sync: - uses: jebel-quant/rhiza/.github/workflows/rhiza_sync.yml@v1.1.3 - with: - direct: ${{ github.event_name == 'push' }} - create-pr: ${{ github.event_name != 'push' && (github.event_name == 'schedule' || inputs.create-pr == true) }} - secrets: inherit - permissions: - contents: write # Commit/push synced files (direct mode) - pull-requests: write # Open the sync PR (scheduled/dispatch mode) diff --git a/.github/workflows/rhiza_weekly.yml b/.github/workflows/rhiza_weekly.yml index cd46e3a9..1af82c10 100644 --- a/.github/workflows/rhiza_weekly.yml +++ b/.github/workflows/rhiza_weekly.yml @@ -25,5 +25,5 @@ on: jobs: weekly: - uses: jebel-quant/rhiza/.github/workflows/rhiza_weekly.yml@v1.1.3 + uses: jebel-quant/rhiza/.github/workflows/rhiza_weekly.yml@v1.2.0 secrets: inherit diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ea145b3d..230df574 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: pass_filenames: false - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 'v0.15.20' + rev: 'v0.15.21' hooks: - id: ruff args: [ --fix, --exit-non-zero-on-fix, --unsafe-fixes ] @@ -76,7 +76,7 @@ repos: - id: betterleaks - repo: https://github.com/astral-sh/uv-pre-commit - rev: 0.11.26 + rev: 0.11.28 hooks: - id: uv-lock diff --git a/.rhiza/.rhiza-version b/.rhiza/.rhiza-version deleted file mode 100644 index 66333910..00000000 --- a/.rhiza/.rhiza-version +++ /dev/null @@ -1 +0,0 @@ -0.18.0 diff --git a/.rhiza/completions/README.md b/.rhiza/completions/README.md index 73c37c1f..ff62b4d1 100644 --- a/.rhiza/completions/README.md +++ b/.rhiza/completions/README.md @@ -6,7 +6,7 @@ This directory contains shell completion scripts for Bash and Zsh that provide t - ✅ Tab-complete all available make targets - ✅ Show target descriptions in Zsh -- ✅ Complete common make variables (DRY_RUN, BUMP, ENV, etc.) +- ✅ Complete common make variables (DRY_RUN, ENV, etc.) - ✅ Works with any Rhiza-based project - ✅ Auto-discovers targets from Makefile and included .mk files @@ -117,7 +117,7 @@ make make te # Expands to: make test # Complete variables -make BUMP= # Shows: patch, minor, major +make ENV= # Shows: dev, staging, prod # Works with any target make doc # Shows: docs, docker-build, docker-run, etc. @@ -144,7 +144,6 @@ The completion scripts understand these common variables: | Variable | Values | Description | |----------|--------|-------------| | `DRY_RUN` | `1` | Preview mode without making changes | -| `BUMP` | `patch`, `minor`, `major` | Version bump type | | `ENV` | `dev`, `staging`, `prod` | Target environment | | `COVERAGE_FAIL_UNDER` | (number) | Minimum coverage threshold | | `PYTHON_VERSION` | (version) | Override Python version | @@ -156,10 +155,10 @@ Example usage: make DRY_ # Expands to: make DRY_RUN=1 # Tab-complete variable values -make BUMP= # Shows: patch minor major +make ENV= # Shows: dev staging prod # Combine with targets -make bump BUMP= +make deploy ENV= ``` ## Troubleshooting diff --git a/.rhiza/completions/rhiza-completion.bash b/.rhiza/completions/rhiza-completion.bash index 09db85c0..eca9e8a9 100644 --- a/.rhiza/completions/rhiza-completion.bash +++ b/.rhiza/completions/rhiza-completion.bash @@ -56,7 +56,7 @@ _rhiza_make_completion() { fi # Add common make variables that can be overridden - local vars="DRY_RUN=1 BUMP=patch BUMP=minor BUMP=major ENV=dev ENV=staging ENV=prod" + local vars="DRY_RUN=1 ENV=dev ENV=staging ENV=prod" opts="$opts $vars" # Generate completions diff --git a/.rhiza/completions/rhiza-completion.zsh b/.rhiza/completions/rhiza-completion.zsh index 0495103b..f1c38912 100644 --- a/.rhiza/completions/rhiza-completion.zsh +++ b/.rhiza/completions/rhiza-completion.zsh @@ -92,9 +92,6 @@ _rhiza_make() { # Common make variables variables=( 'DRY_RUN=1:preview mode without making changes' - 'BUMP=patch:bump patch version' - 'BUMP=minor:bump minor version' - 'BUMP=major:bump major version' 'ENV=dev:development environment' 'ENV=staging:staging environment' 'ENV=prod:production environment' diff --git a/.rhiza/make.d/quality.mk b/.rhiza/make.d/quality.mk index f0f303bf..8449f905 100644 --- a/.rhiza/make.d/quality.mk +++ b/.rhiza/make.d/quality.mk @@ -5,7 +5,7 @@ LICENSE_FAIL_ON ?= GPL;LGPL;AGPL # Declare phony targets (they don't produce files) -.PHONY: all deptry fmt license todos suppression-audit semgrep +.PHONY: all deptry fmt license todos semgrep ##@ Quality and Formatting all: fmt deptry test docs-coverage security license typecheck rhiza-test ## run all CI targets locally @@ -52,10 +52,6 @@ todos: ## search and report all TODO/FIXME/HACK comments in the codebase printf "${GREEN}[SUCCESS] No TODO/FIXME/HACK comments found!${RESET}\n" @printf "\n${BLUE}[INFO] Search complete.${RESET}\n" -suppression-audit: install-uv ## scan codebase for inline suppressions and report (grade, detail, histogram) - @printf "${BLUE}[INFO] Running suppression audit...${RESET}\n" - @${UVX_BIN} "rhiza-tools>=0.8.1" suppression-audit - semgrep: install ## run Semgrep static analysis @printf "${BLUE}[INFO] Running Semgrep...${RESET}\n" @if [ -d ${SOURCE_FOLDER} ]; then \ diff --git a/.rhiza/make.d/releasing.mk b/.rhiza/make.d/releasing.mk index 49fe3860..05248384 100644 --- a/.rhiza/make.d/releasing.mk +++ b/.rhiza/make.d/releasing.mk @@ -1,43 +1,16 @@ ## .rhiza/make.d/releasing.mk - Releasing and Versioning -# This file provides targets for version bumping and release management. +# This file provides changelog and release-status helpers. +# +# Version bumping and release tagging are NOT make targets. Releasing is driven +# by the rhiza-claude `/release` command, which derives the next version, bumps +# pyproject.toml, regenerates CHANGELOG.md, and creates the tag locally. Pushing +# that tag triggers the release workflow (rhiza_release.yml). +# See https://github.com/Jebel-Quant/rhiza-claude. # Declare phony targets (they don't produce files) -.PHONY: bump release release-status changelog pre-bump post-bump pre-release post-release - -# Hook targets (double-colon rules allow multiple definitions) -pre-bump:: ; @: -post-bump:: ; @: -pre-release:: ; @: -post-release:: ; @: - -# DRY_RUN support: pass DRY_RUN=1 to preview changes without applying them -_DRY_RUN_FLAG := $(if $(DRY_RUN),--dry-run,) -# BUMP support: pass BUMP=major|minor|patch to choose the bump type explicitly -# (omit BUMP to select the bump type interactively, the default behaviour) -_BUMP_FLAG := $(if $(BUMP),--bump $(BUMP),) -# PUSH support: pass PUSH=1 to push the tag without the interactive y/N prompt -# (omit PUSH to be prompted before the tag is pushed, the default behaviour) -_PUSH_FLAG := $(if $(PUSH),--push,) -_VERSION=0.7.1 +.PHONY: release-status changelog ##@ Releasing and Versioning -bump: pre-bump ## bump version of the project (supports DRY_RUN=1, BUMP=major|minor|patch) - @if [ -f "pyproject.toml" ]; then \ - $(MAKE) install; \ - PATH="$(abspath ${VENV})/bin:$$PATH" ${UVX_BIN} "rhiza-tools>=$(_VERSION)" bump $(_DRY_RUN_FLAG) $(_BUMP_FLAG); \ - if [ -z "$(DRY_RUN)" ]; then \ - printf "${BLUE}[INFO] Checking uv.lock file...${RESET}\n"; \ - ${UV_BIN} lock; \ - fi; \ - else \ - printf "${YELLOW}[WARN] No pyproject.toml found, skipping bump${RESET}\n"; \ - fi - @$(MAKE) post-bump - -release: pre-release install-uv ## bump version, create tag and push to trigger the release workflow (supports DRY_RUN=1, BUMP=major|minor|patch, PUSH=1) - ${UVX_BIN} "rhiza-tools>=$(_VERSION)" release $(_DRY_RUN_FLAG) $(_BUMP_FLAG) $(_PUSH_FLAG); - @$(MAKE) post-release - release-status: ## show release workflow status and latest release information ifeq ($(FORGE_TYPE),github) @{ $(MAKE) --no-print-directory workflow-status; printf "\n"; $(MAKE) --no-print-directory latest-release; } 2>&1 | $${PAGER:-less -R} @@ -52,6 +25,3 @@ changelog: install-uv ## generate/update CHANGELOG.md from git history using git @printf "${BLUE}[INFO] Generating CHANGELOG.md with git-cliff...${RESET}\n" @${UVX_BIN} git-cliff --output CHANGELOG.md @printf "${GREEN}[OK] CHANGELOG.md updated.${RESET}\n" - - - diff --git a/.rhiza/make.d/test.mk b/.rhiza/make.d/test.mk index bd9a2050..9ea61da6 100644 --- a/.rhiza/make.d/test.mk +++ b/.rhiza/make.d/test.mk @@ -110,16 +110,9 @@ typecheck: install ## run ty and/or mypy type checking (TYPECHECKER=ty|mypy|both ;; \ esac -# Extra flags forwarded to pip-audit (e.g. --ignore-vuln CVE-XXXX-YYYY) -PIP_AUDIT_ARGS ?= - -# The 'security' target performs security vulnerability scans. -# 1. Runs pip-audit via `rhiza-tools pip-audit` (tiered policy): fails on runtime -# dep CVEs, warns on tooling (pip/setuptools/wheel). -# 2. Runs bandit to find common security issues in Python source folders that exist. -security: install ## run security scans (pip-audit and bandit) - @printf "${BLUE}[INFO] Running pip-audit for dependency vulnerabilities...${RESET}\n" - @${UVX_BIN} "rhiza-tools>=0.8.1" pip-audit ${PIP_AUDIT_ARGS} +# The 'security' target runs bandit to find common security issues in the +# Python source folders that exist. +security: install ## run security scans (bandit) @bandit_paths=""; \ if [ -d "${SOURCE_FOLDER}" ]; then \ bandit_paths="${SOURCE_FOLDER}"; \ @@ -135,7 +128,6 @@ security: install ## run security scans (pip-audit and bandit) # 1. Installs benchmarking dependencies (pytest-benchmark, pygal). # 2. Executes benchmarks found in the benchmarks/ subfolder. # 3. Generates histograms and JSON results. -# 4. Runs a post-analysis script to process the results. benchmark:: install ## run performance benchmarks @if [ -d "${TESTS_FOLDER}/benchmarks" ]; then \ printf "${BLUE}[INFO] Running performance benchmarks...${RESET}\n"; \ @@ -144,7 +136,6 @@ benchmark:: install ## run performance benchmarks --benchmark-only \ --benchmark-histogram=_tests/benchmarks/histogram \ --benchmark-json=_tests/benchmarks/results.json; \ - ${UVX_BIN} "rhiza-tools>=0.2.3" analyze-benchmarks --benchmarks-json _tests/benchmarks/results.json --output-html _tests/benchmarks/report.html; \ else \ printf "${YELLOW}[WARN] Benchmarks folder not found, skipping benchmarks${RESET}\n"; \ fi diff --git a/.rhiza/rhiza.mk b/.rhiza/rhiza.mk index 973862ac..7d981d83 100644 --- a/.rhiza/rhiza.mk +++ b/.rhiza/rhiza.mk @@ -55,21 +55,10 @@ RESET := \033[0m # Declare phony targets (they don't produce files) .PHONY: \ help \ - post-bump \ post-install \ - post-release \ - post-sync \ - post-validate \ - pre-bump \ pre-install \ - pre-release \ - pre-sync \ - pre-validate \ print-logo \ readme \ - summarise-sync \ - sync \ - validate \ version-matrix \ ci-os-matrix @@ -83,15 +72,6 @@ VENV ?= .venv PYTHON_VERSION ?= $(strip $(shell cat .python-version 2>/dev/null || echo "3.13")) export PYTHON_VERSION -# Read Rhiza version from .rhiza/.rhiza-version (single source of truth for rhiza-tools) -RHIZA_VERSION ?= $(shell cat .rhiza/.rhiza-version 2>/dev/null || echo "0.10.2") -export RHIZA_VERSION - -# Default sync schedule (cron expression for GitHub Actions sync workflow) -# Override in your root Makefile to customise when sync runs. -# Example: RHIZA_SYNC_SCHEDULE = 0 9 * * 1-5 (weekdays at 9 AM UTC) -RHIZA_SYNC_SCHEDULE ?= 0 0 * * 1 - export UV_NO_MODIFY_PATH := 1 export UV_VENV_CLEAR := 1 @@ -135,21 +115,7 @@ endef export RHIZA_LOGO # Declare phony targets for Rhiza Core -.PHONY: print-logo sync sync-experimental materialize validate readme pre-sync post-sync pre-validate post-validate _apply-sync-schedule - -# Hook targets (double-colon rules allow multiple definitions) -# Note: pre-install/post-install are defined in bootstrap.mk -# Note: pre-bump/post-bump/pre-release/post-release are defined in releasing.mk -pre-sync:: ; @: -post-sync:: ; @: -pre-validate:: ; @: -post-validate:: ; @: - -# Detected once at parse time: non-empty when origin is the jebel-quant/rhiza -# mother repository, which by design has no template.yml. The sync/summarise/ -# validate targets are no-ops there. Evaluated a single time and reused so the -# origin regex lives in exactly one place. -IS_MOTHER_REPO := $(shell git remote get-url origin 2>/dev/null | grep -iqE 'jebel-quant/rhiza(\.git)?$$' && echo 1) +.PHONY: print-logo ##@ Rhiza Workflows @@ -157,36 +123,6 @@ print-logo: @printf "${BLUE}$$RHIZA_LOGO${RESET}\n" -sync: pre-sync ## sync with template repository as defined in .rhiza/template.yml - @if [ -n "$(IS_MOTHER_REPO)" ]; then \ - printf "${BLUE}[INFO] Skipping sync in rhiza repository (no template.yml by design)${RESET}\n"; \ - else \ - $(MAKE) install-uv && \ - ${UVX_BIN} "rhiza==$(RHIZA_VERSION)" sync . && \ - $(MAKE) _apply-sync-schedule; \ - fi - @$(MAKE) post-sync - -_apply-sync-schedule: ## (internal) apply RHIZA_SYNC_SCHEDULE override to GitHub Actions sync workflow - @if [ "$(RHIZA_SYNC_SCHEDULE)" != "0 0 * * 1" ] && [ -f .github/workflows/rhiza_sync.yml ]; then \ - sed "s|cron: '[^']*'|cron: '$(RHIZA_SYNC_SCHEDULE)'|" .github/workflows/rhiza_sync.yml > .github/workflows/rhiza_sync.yml.tmp && \ - mv .github/workflows/rhiza_sync.yml.tmp .github/workflows/rhiza_sync.yml; \ - printf "${BLUE}[INFO] Applied custom sync schedule: $(RHIZA_SYNC_SCHEDULE)${RESET}\n"; \ - fi - -materialize: ## [DEPRECATED] use 'make sync' instead — materialize --force is now sync - @printf "${YELLOW}[WARN] 'make materialize' is deprecated and will be removed in a future release.${RESET}\n" - @printf "${YELLOW}[WARN] Please use 'make sync' instead (e.g. 'materialize --force' is now 'make sync').${RESET}\n" - @$(MAKE) sync - -summarise-sync: install-uv ## summarise differences created by sync with template repository - @if [ -n "$(IS_MOTHER_REPO)" ]; then \ - printf "${BLUE}[INFO] Skipping summarise-sync in rhiza repository (no template.yml by design)${RESET}\n"; \ - else \ - $(MAKE) install-uv && \ - ${UVX_BIN} "rhiza==$(RHIZA_VERSION)" summarise .; \ - fi - rhiza-test: install ## run rhiza's own tests (if any) @if [ -d ".rhiza/tests" ]; then \ ${UV_BIN} run --with pytest --with pytest-timeout --with python-dotenv --with packaging pytest .rhiza/tests; \ @@ -194,18 +130,6 @@ rhiza-test: install ## run rhiza's own tests (if any) printf "${YELLOW}[WARN] No .rhiza/tests directory found, skipping rhiza-tests${RESET}\n"; \ fi -validate: pre-validate rhiza-test ## validate project structure against template repository as defined in .rhiza/template.yml - @if [ -n "$(IS_MOTHER_REPO)" ]; then \ - printf "${BLUE}[INFO] Skipping validate in rhiza repository (no template.yml by design)${RESET}\n"; \ - else \ - $(MAKE) install-uv; \ - ${UVX_BIN} "rhiza==$(RHIZA_VERSION)" validate .; \ - fi - @$(MAKE) post-validate - -readme: install-uv ## update README.md with current Makefile help output - @${UVX_BIN} "rhiza-tools>=0.2.0" update-readme - ##@ Meta help: print-logo ## Display this help message @@ -215,9 +139,6 @@ help: print-logo ## Display this help message +@awk 'BEGIN {FS = ":.*##"; printf ""} /^[a-zA-Z_-]+:.*?##/ { printf " $(BLUE)%-20s$(RESET) %s\n", $$1, $$2 } /^##@/ { printf "\n$(BOLD)%s$(RESET)\n", substr($$0, 5) }' $(MAKEFILE_LIST) +@printf "\n" -version-matrix: install-uv ## Emit the list of supported Python versions from pyproject.toml - @${UVX_BIN} "rhiza-tools>=0.2.2" version-matrix - ci-os-matrix: ## Emit GitHub CI OSes (RHIZA_CI_OS_MATRIX as JSON array, default ["ubuntu-latest"]) @$(info $(or $(RHIZA_CI_OS_MATRIX),["ubuntu-latest"])) diff --git a/.rhiza/template.lock b/.rhiza/template.lock index e5d88e66..4a2cb68d 100644 --- a/.rhiza/template.lock +++ b/.rhiza/template.lock @@ -1,7 +1,7 @@ -sha: 8e6a8d48b98db05a10b7da67d26fac7ed54508c8 +sha: 7a906d2cf8c33d1d870ca7c7f5af3127f070c3ed repo: jebel-quant/rhiza host: github -ref: v1.1.3 +ref: v1.2.0 include: [] exclude: [] templates: @@ -20,6 +20,7 @@ files: - .github/pull_request_template.md - .github/release.yml - .github/rulesets/main-branch-protection.json +- .github/rulesets/tag-protection.json - .github/secret_scanning.yml - .github/workflows/rhiza_benchmark.yml - .github/workflows/rhiza_book.yml @@ -31,7 +32,6 @@ files: - .github/workflows/rhiza_paper.yml - .github/workflows/rhiza_release.yml - .github/workflows/rhiza_scorecard.yml -- .github/workflows/rhiza_sync.yml - .github/workflows/rhiza_weekly.yml - .gitignore - .pre-commit-config.yaml @@ -39,7 +39,6 @@ files: - .rhiza/.cfg.toml - .rhiza/.env - .rhiza/.gitignore -- .rhiza/.rhiza-version - .rhiza/CODE_OF_CONDUCT.md - .rhiza/CONTRIBUTING.md - .rhiza/assets/rhiza-logo.svg @@ -78,5 +77,5 @@ files: - ruff.toml profiles: - github-project -synced_at: '2026-07-13T00:15:49Z' +synced_at: '2026-07-16T18:38:21Z' strategy: merge diff --git a/.rhiza/template.yml b/.rhiza/template.yml index 517b8cdd..31946b96 100644 --- a/.rhiza/template.yml +++ b/.rhiza/template.yml @@ -1,5 +1,5 @@ repository: "jebel-quant/rhiza" -ref: "v1.1.3" +ref: "v1.2.0" profiles: - github-project diff --git a/SECURITY.md b/SECURITY.md index 97dffc9a..b5d7ce5e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -73,7 +73,6 @@ This project implements several security measures: ### Code Scanning - **CodeQL**: Automated code scanning for Python and GitHub Actions - **Bandit**: Python security linter integrated in CI and pre-commit -- **pip-audit**: Dependency vulnerability scanning - **Secret Scanning**: GitHub secret scanning enabled on this repository - **Fuzzing**: ClusterFuzzLite exercises Atheris-based fuzz targets on pull requests and scheduled batch runs