Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 7 additions & 10 deletions .github/CONFIG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,15 @@
This document describes the secrets used by the Rhiza-provided GitHub Actions workflows
(`.github/workflows/rhiza_*.yml`) and how to configure them.

## PAT_TOKEN (template sync)
## PAT_TOKEN

The sync workflow (`.github/workflows/rhiza_sync.yml`) keeps your repository up to date with the
upstream Rhiza template. It commits the synced files directly to a branch or opens a pull request.
Some workflows may need to push changes to files under `.github/workflows/`. The
automatic `github.token` **cannot** do that — GitHub rejects such pushes unless
the token carries the `workflow` scope. If you need it, create a Personal Access
Token (PAT) with the `workflow` scope and store it as a repository secret named
`PAT_TOKEN`.

By default the workflow authenticates with the automatic `github.token`. That token **cannot push
changes to files under `.github/workflows/`** — GitHub rejects such pushes unless the token has the
`workflow` scope. Since template syncs regularly update workflow files, you should configure a
Personal Access Token (PAT) with that scope and store it as a repository secret named `PAT_TOKEN`.

If `PAT_TOKEN` is not configured, the workflow falls back to `github.token` and prints a warning.
Syncs that touch only non-workflow files will still succeed.
If `PAT_TOKEN` is not configured, workflows fall back to `github.token`.

### Creating the token

Expand Down
30 changes: 0 additions & 30 deletions .github/PULL_REQUEST_TEMPLATE.md

This file was deleted.

12 changes: 6 additions & 6 deletions .github/rulesets/main-branch-protection.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,12 @@
"parameters": {
"strict_required_status_checks_policy": false,
"required_status_checks": [
{ "context": "Pre-commit hooks" },
{ "context": "validation" },
{ "context": "Check dependencies with deptry" },
{ "context": "docs-coverage" },
{ "context": "Security scanning" },
{ "context": "License compliance scan" }
{ "context": "Pre-commit hooks", "integration_id": 15368 },
{ "context": "Check dependencies with deptry", "integration_id": 15368 },
{ "context": "docs-coverage", "integration_id": 15368 },
{ "context": "Security scanning", "integration_id": 15368 },
{ "context": "License compliance scan", "integration_id": 15368 },
{ "context": "CI gate", "integration_id": 15368 }
]
}
}
Expand Down
24 changes: 24 additions & 0 deletions .github/rulesets/tag-protection.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "version-tag-protection",
"target": "tag",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["refs/tags/v*"],
"exclude": []
}
},
"rules": [
{ "type": "creation" },
{ "type": "update" },
{ "type": "deletion" },
{ "type": "non_fast_forward" }
],
"bypass_actors": [
{
"actor_type": "RepositoryRole",
"actor_id": 5,
"bypass_mode": "always"
}
]
}
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_benchmark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ on:

jobs:
benchmark:
uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v1.2.0
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_book.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ on:

jobs:
book:
uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v1.2.0
secrets: inherit
permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,5 @@ on:

jobs:
ci:
uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v1.2.0
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ on:

jobs:
codeql:
uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v1.2.0
secrets: inherit
permissions:
security-events: write # Upload CodeQL results to code scanning
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_fuzzing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ permissions:

jobs:
fuzzing:
uses: jebel-quant/rhiza/.github/workflows/rhiza_fuzzing.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_fuzzing.yml@v1.2.0
secrets: inherit
permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_marimo.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,5 @@ on:

jobs:
marimo:
uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v1.2.0
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_mutation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
# this repo sets the `MUTATION_ENABLED` variable to 'true'. Gating here in
# the caller keeps it optional regardless of the pinned reusable workflow.
if: ${{ vars.MUTATION_ENABLED == 'true' }}
uses: jebel-quant/rhiza/.github/workflows/rhiza_mutation.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_mutation.yml@v1.2.0
secrets: inherit
permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_paper.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ on:

jobs:
paper:
uses: jebel-quant/rhiza/.github/workflows/rhiza_paper.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_paper.yml@v1.2.0
secrets: inherit
permissions:
contents: write
9 changes: 5 additions & 4 deletions .github/workflows/rhiza_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,10 @@
# 7. 🐳 Publish Devcontainer - Build and publish devcontainer image (conditional)
# 8. ✅ Finalize Release - Publish the GitHub release with links
#
# 📄 CHANGELOG: not updated here. The rhiza-tools `bump` command folds a freshly
# generated CHANGELOG.md into the version-bump commit (git-cliff pre-commit hook),
# so the tagged commit already carries the changelog — no separate post-tag commit.
# 📄 CHANGELOG: not updated here. The release process (rhiza-claude `/release`)
# folds a freshly generated CHANGELOG.md into the version-bump commit before the
# tag is pushed, so the tagged commit already carries the changelog — no separate
# post-tag commit.
#
# 📦 SBOM Generation:
# - Generated using CycloneDX format (industry standard for software supply chain security)
Expand Down Expand Up @@ -221,7 +222,7 @@ jobs:
version: "0.11.16"

- name: Configure git auth for private packages
uses: jebel-quant/rhiza/.github/actions/configure-git-auth@v1.1.3
uses: jebel-quant/rhiza/.github/actions/configure-git-auth@v1.2.0
with:
token: ${{ secrets.GH_PAT }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ permissions: read-all

jobs:
scorecard:
uses: jebel-quant/rhiza/.github/workflows/rhiza_scorecard.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_scorecard.yml@v1.2.0
secrets: inherit
permissions:
security-events: write # Upload the SARIF results to code scanning
Expand Down
37 changes: 0 additions & 37 deletions .github/workflows/rhiza_sync.yml

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/rhiza_weekly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,5 @@ on:

jobs:
weekly:
uses: jebel-quant/rhiza/.github/workflows/rhiza_weekly.yml@v1.1.3
uses: jebel-quant/rhiza/.github/workflows/rhiza_weekly.yml@v1.2.0
secrets: inherit
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ repos:
pass_filenames: false

- repo: https://github.com/astral-sh/ruff-pre-commit
rev: 'v0.15.20'
rev: 'v0.15.21'
hooks:
- id: ruff
args: [ --fix, --exit-non-zero-on-fix, --unsafe-fixes ]
Expand Down Expand Up @@ -76,7 +76,7 @@ repos:
- id: betterleaks

- repo: https://github.com/astral-sh/uv-pre-commit
rev: 0.11.26
rev: 0.11.28
hooks:
- id: uv-lock

Expand Down
1 change: 0 additions & 1 deletion .rhiza/.rhiza-version

This file was deleted.

9 changes: 4 additions & 5 deletions .rhiza/completions/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ This directory contains shell completion scripts for Bash and Zsh that provide t

- ✅ Tab-complete all available make targets
- ✅ Show target descriptions in Zsh
- ✅ Complete common make variables (DRY_RUN, BUMP, ENV, etc.)
- ✅ Complete common make variables (DRY_RUN, ENV, etc.)
- ✅ Works with any Rhiza-based project
- ✅ Auto-discovers targets from Makefile and included .mk files

Expand Down Expand Up @@ -117,7 +117,7 @@ make <TAB>
make te<TAB> # Expands to: make test

# Complete variables
make BUMP=<TAB> # Shows: patch, minor, major
make ENV=<TAB> # Shows: dev, staging, prod

# Works with any target
make doc<TAB> # Shows: docs, docker-build, docker-run, etc.
Expand All @@ -144,7 +144,6 @@ The completion scripts understand these common variables:
| Variable | Values | Description |
|----------|--------|-------------|
| `DRY_RUN` | `1` | Preview mode without making changes |
| `BUMP` | `patch`, `minor`, `major` | Version bump type |
| `ENV` | `dev`, `staging`, `prod` | Target environment |
| `COVERAGE_FAIL_UNDER` | (number) | Minimum coverage threshold |
| `PYTHON_VERSION` | (version) | Override Python version |
Expand All @@ -156,10 +155,10 @@ Example usage:
make DRY_<TAB> # Expands to: make DRY_RUN=1

# Tab-complete variable values
make BUMP=<TAB> # Shows: patch minor major
make ENV=<TAB> # Shows: dev staging prod

# Combine with targets
make bump BUMP=<TAB>
make deploy ENV=<TAB>
```

## Troubleshooting
Expand Down
2 changes: 1 addition & 1 deletion .rhiza/completions/rhiza-completion.bash
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ _rhiza_make_completion() {
fi

# Add common make variables that can be overridden
local vars="DRY_RUN=1 BUMP=patch BUMP=minor BUMP=major ENV=dev ENV=staging ENV=prod"
local vars="DRY_RUN=1 ENV=dev ENV=staging ENV=prod"
opts="$opts $vars"

# Generate completions
Expand Down
3 changes: 0 additions & 3 deletions .rhiza/completions/rhiza-completion.zsh
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,6 @@ _rhiza_make() {
# Common make variables
variables=(
'DRY_RUN=1:preview mode without making changes'
'BUMP=patch:bump patch version'
'BUMP=minor:bump minor version'
'BUMP=major:bump major version'
'ENV=dev:development environment'
'ENV=staging:staging environment'
'ENV=prod:production environment'
Expand Down
6 changes: 1 addition & 5 deletions .rhiza/make.d/quality.mk
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
LICENSE_FAIL_ON ?= GPL;LGPL;AGPL

# Declare phony targets (they don't produce files)
.PHONY: all deptry fmt license todos suppression-audit semgrep
.PHONY: all deptry fmt license todos semgrep

##@ Quality and Formatting
all: fmt deptry test docs-coverage security license typecheck rhiza-test ## run all CI targets locally
Expand Down Expand Up @@ -52,10 +52,6 @@ todos: ## search and report all TODO/FIXME/HACK comments in the codebase
printf "${GREEN}[SUCCESS] No TODO/FIXME/HACK comments found!${RESET}\n"
@printf "\n${BLUE}[INFO] Search complete.${RESET}\n"

suppression-audit: install-uv ## scan codebase for inline suppressions and report (grade, detail, histogram)
@printf "${BLUE}[INFO] Running suppression audit...${RESET}\n"
@${UVX_BIN} "rhiza-tools>=0.8.1" suppression-audit

semgrep: install ## run Semgrep static analysis
@printf "${BLUE}[INFO] Running Semgrep...${RESET}\n"
@if [ -d ${SOURCE_FOLDER} ]; then \
Expand Down
Loading