ci: modernize and harden GitHub Actions workflows#197
Merged
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughUpdates CI and repository maintenance: Dependabot now checks GitHub Actions daily; workflows are pinned and granted explicit job permissions; PyPI publish and test workflows are modernized; pyproject and Ruff added; library typing, timeout, cache, tests, fixtures, README, and tox updated. ChangesRepo maintenance and CI updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/workflows/publish-to-pypi.yml (2)
16-16: ⚡ Quick winConsider disabling credential persistence for enhanced security.
Setting
persist-credentials: falseprevents the GitHub token from persisting in the local git config after checkout, reducing the risk of accidental credential exposure.🔒 Proposed security enhancement
- - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-to-pypi.yml at line 16, The checkout step currently uses actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5; update the actions/checkout invocation to include persist-credentials: false to prevent the GITHUB_TOKEN from being written into local git config after checkout. Locate the checkout step (the line with actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and add the persist-credentials: false option under its with: block so credential persistence is disabled.
17-20: ⚡ Quick winPython 3.12 publish workflow metadata is already compatible.
setup.pysetspython_requires=">=3.8"and includesProgramming Language :: Python :: 3.12classifier.- No python-version constraints were found in
requirements*.txt(they’re unpinned); the runtime dependency declared for the package is onlyinstall_requires=["requests"].- Publish job builds on 3.12 but doesn’t install/run tests; add a 3.12 test/build job if you want stronger assurance.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-to-pypi.yml around lines 17 - 20, The workflow currently only uses the "Set up Python 3.12" step to publish but does not run any tests or a build on 3.12; add a separate job (or extend the existing publish job) that runs on ubuntu-latest with a step using actions/setup-python@... with python-version: "3.12" and add sequential steps named "Install dependencies" (pip install -r requirements-dev.txt or pip install -e .), "Run tests" (pytest or your test command), and "Build package" (python -m build or python setup.py sdist bdist_wheel) so the package is actually built and tested on Python 3.12 before publishing. Ensure step names match the existing labels like "Set up Python 3.12" and include failing behavior if tests/build fail so the publish job is gated..github/workflows/test.yml (1)
23-25: ⚡ Quick winConsider disabling credential persistence for enhanced security.
Both checkout steps should set
persist-credentials: falseto prevent the GitHub token from persisting in the local git config. This is particularly important when working with artifacts, as credentials could inadvertently be included in uploaded artifacts.🔒 Proposed security enhancement
For the tests job checkout (lines 23-25):
- name: 📥 Checkout the repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 + persist-credentials: falseFor the coverage job checkout (lines 48-50):
- name: 📥 Checkout the repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 + persist-credentials: falseAlso applies to: 48-50
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test.yml around lines 23 - 25, The checkout steps using actions/checkout (the invocations with fetch-depth: 2) should explicitly disable credential persistence by adding persist-credentials: false to each checkout action (both the tests job and the coverage job checkout invocations) so the GITHUB_TOKEN is not written to the repo git config or included in artifacts; update the checkout blocks that reference actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 to include persist-credentials: false alongside fetch-depth.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-to-pypi.yml:
- Around line 12-14: The workflow mixes OIDC permissions and legacy token auth:
the permissions block sets id-token: write but the pypa/gh-action-pypi-publish
step still passes user: __token__ and password: ${{ secrets.PYPI_TOKEN }}; pick
one approach and make the config consistent — either remove the user/password
inputs from the pypa/gh-action-pypi-publish step and configure PyPI/Repository
to accept OIDC (keeping permissions: id-token: write), or remove id-token: write
from the permissions block and keep the existing user: __token__ / password: ${{
secrets.PYPI_TOKEN }} usage; update the publish step and permissions accordingly
and ensure references to secrets.PYPI_TOKEN or OIDC setup are adjusted to match
(look for id-token, permissions, pypa/gh-action-pypi-publish, user, password,
secrets.PYPI_TOKEN).
---
Nitpick comments:
In @.github/workflows/publish-to-pypi.yml:
- Line 16: The checkout step currently uses
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5; update the
actions/checkout invocation to include persist-credentials: false to prevent the
GITHUB_TOKEN from being written into local git config after checkout. Locate the
checkout step (the line with
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and add the
persist-credentials: false option under its with: block so credential
persistence is disabled.
- Around line 17-20: The workflow currently only uses the "Set up Python 3.12"
step to publish but does not run any tests or a build on 3.12; add a separate
job (or extend the existing publish job) that runs on ubuntu-latest with a step
using actions/setup-python@... with python-version: "3.12" and add sequential
steps named "Install dependencies" (pip install -r requirements-dev.txt or pip
install -e .), "Run tests" (pytest or your test command), and "Build package"
(python -m build or python setup.py sdist bdist_wheel) so the package is
actually built and tested on Python 3.12 before publishing. Ensure step names
match the existing labels like "Set up Python 3.12" and include failing behavior
if tests/build fail so the publish job is gated.
In @.github/workflows/test.yml:
- Around line 23-25: The checkout steps using actions/checkout (the invocations
with fetch-depth: 2) should explicitly disable credential persistence by adding
persist-credentials: false to each checkout action (both the tests job and the
coverage job checkout invocations) so the GITHUB_TOKEN is not written to the
repo git config or included in artifacts; update the checkout blocks that
reference actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 to include
persist-credentials: false alongside fetch-depth.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 673e3b6a-15cb-479e-819c-5ef78df7eb00
📒 Files selected for processing (5)
.github/dependabot.yml.github/workflows/codeql-analysis.yml.github/workflows/publish-to-pypi.yml.github/workflows/release-drafter.yml.github/workflows/test.yml
💤 Files with no reviewable changes (1)
- .github/workflows/codeql-analysis.yml
Owner
Author
|
@coderabbitai review |
Contributor
✅ Actions performedReview triggered.
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/test.yml (1)
36-40:⚠️ Potential issue | 🟠 Major | ⚡ Quick winFix artifact name collision in test matrix (
coverage-data)
Thetestsjob runs a Python matrix (3.9–3.14) and every matrix entry uploadsactions/upload-artifact@v4.6.2with the fixed artifact namecoverage-data—butactions/upload-artifact@v4no longer allows uploading to the same named artifact multiple times in a workflow run, so thecoveragejob’s later download ofcoverage-datacan fail/break nondeterministically.Either upload only once (single matrix entry) or make the artifact name unique per Python version and update the download step accordingly.
Minimal fix
- name: 📤 Upload coverage to Codecov + if: matrix.python-version == '3.14' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-data path: "coverage.xml"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test.yml around lines 36 - 40, The artifact name collision happens because every matrix entry uploads the same artifact name "coverage-data"; change the upload step (named "📤 Upload coverage to Codecov" using actions/upload-artifact@ea165f8...) to produce a unique name per matrix run (e.g., include the matrix value like "coverage-data-${{ matrix.python-version }}" or runner info) and then update the corresponding download step in the later "coverage" job to request the matching dynamic artifact name (use the same matrix or derive the version used) so each matrix entry uploads distinct artifacts or alternatively restrict uploads to a single matrix entry.openeihttp/__init__.py (1)
103-108:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winFix typo in error message.
Line 104 contains "reteiving" which should be "retrieving".
✏️ Proposed fix
- "An error reteiving data from the server, code: %s\nmessage: %s", + "An error retrieving data from the server, code: %s\nmessage: %s",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@openeihttp/__init__.py` around lines 103 - 108, Fix the typo in the error log message: change the string passed to _LOGGER.error in the block that logs server response errors (the call using _LOGGER.error with response.status and message) so "reteiving" is corrected to "retrieving"; ensure the surrounding arguments (response.status, message) and the subsequent assignment message = {"error": message} remain unchanged.
🧹 Nitpick comments (1)
tox.ini (1)
11-12: Verify intentional move of lint/mypy from Python 3.13 to 3.14.The PR changed the gh-actions mapping so that
lintandmypynow run only under Python 3.14 instead of 3.13. This means in CI these checks will only execute on the newest Python version. While this reduces CI time, it could miss Python-version-specific lint or type-checking issues on 3.13.Please confirm this is intentional and acceptable for your testing strategy.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tox.ini` around lines 11 - 12, The GH Actions matrix was changed so lint and mypy are only listed under "3.14: py314, lint, mypy" whereas "3.13: py313" no longer runs those checks; confirm if that change is intentional and acceptable, and if not, move "lint" and "mypy" back into the 3.13 entry (i.e., make the mappings "3.13: py313, lint, mypy" and "3.14: py314" or add lint/mypy to both entries) or add a note in CI docs explaining the deliberate choice to run lint/type-check only on 3.14; update the tox/GH-actions mapping accordingly (look for the lines with "3.13: py313" and "3.14: py314, lint, mypy").
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@openeihttp/__init__.py`:
- Around line 201-206: The error handling block that assumes result["error"] is
a dict with a "message" key is unsafe and can TypeError when process_request()
returns a string error (timeout/ContentTypeError); update the block in
__init__.py to defensively check the shape of result["error"] (use
isinstance(result["error"], dict) and "message" in result["error"]) before
accessing message, otherwise treat result["error"] as a raw message string for
logging and rate-limit detection; keep the same behavior of raising RateLimit
when the message contains "You have exceeded your rate limit." and raise
APIError for other cases, and reference the existing result variable and the
same logging call (_LOGGER.error) so behavior remains consistent.
- Around line 151-154: The current error branch in process_request/result
handling accesses result["error"]["message"] but process_request() sometimes
sets result["error"] to a string for local errors (timeout/ContentTypeError),
which will raise a TypeError; update the check in the block that calls
_LOGGER.error and raise APIError (the code that currently does if "error" in
result -> message = result["error"]["message"] _) to handle both forms: detect
whether result["error"] is a mapping with a "message" key and extract that,
otherwise treat result["error"] as the message string (or str() it), log the
derived message with _LOGGER.error("Error: %s", message), and then raise
APIError as before so both API-format and local error strings are handled
safely.
In `@pyproject.toml`:
- Line 13: The project declares requires-python = ">=3.8" but the classifiers
list is missing the Python 3.8 classifier; update the classifiers block (the
"classifiers" table in pyproject.toml) to include "Programming Language ::
Python :: 3.8" so the metadata matches the requires-python setting and covers
3.8 through the existing 3.9–3.14 entries.
---
Outside diff comments:
In @.github/workflows/test.yml:
- Around line 36-40: The artifact name collision happens because every matrix
entry uploads the same artifact name "coverage-data"; change the upload step
(named "📤 Upload coverage to Codecov" using actions/upload-artifact@ea165f8...)
to produce a unique name per matrix run (e.g., include the matrix value like
"coverage-data-${{ matrix.python-version }}" or runner info) and then update the
corresponding download step in the later "coverage" job to request the matching
dynamic artifact name (use the same matrix or derive the version used) so each
matrix entry uploads distinct artifacts or alternatively restrict uploads to a
single matrix entry.
In `@openeihttp/__init__.py`:
- Around line 103-108: Fix the typo in the error log message: change the string
passed to _LOGGER.error in the block that logs server response errors (the call
using _LOGGER.error with response.status and message) so "reteiving" is
corrected to "retrieving"; ensure the surrounding arguments (response.status,
message) and the subsequent assignment message = {"error": message} remain
unchanged.
---
Nitpick comments:
In `@tox.ini`:
- Around line 11-12: The GH Actions matrix was changed so lint and mypy are only
listed under "3.14: py314, lint, mypy" whereas "3.13: py313" no longer runs
those checks; confirm if that change is intentional and acceptable, and if not,
move "lint" and "mypy" back into the 3.13 entry (i.e., make the mappings "3.13:
py313, lint, mypy" and "3.14: py314" or add lint/mypy to both entries) or add a
note in CI docs explaining the deliberate choice to run lint/type-check only on
3.14; update the tox/GH-actions mapping accordingly (look for the lines with
"3.13: py313" and "3.14: py314, lint, mypy").
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4f33b399-e525-449e-b4cd-8b64e18503b0
📒 Files selected for processing (26)
.github/workflows/publish-to-pypi.yml.github/workflows/test.yml.pre-commit-config.yaml.vscode/settings.jsonREADME.mdopeneihttp/__init__.pyopeneihttp/cache.pypylintrcpyproject.tomlrequirements.txtrequirements_lint.txtrequirements_test.txtsetup.pytests/conftest.pytests/fixtures/api_error.jsontests/fixtures/fixed_charge_rate.jsontests/fixtures/lookup.jsontests/fixtures/lookup_radius.jsontests/fixtures/plan_adjustments_data.jsontests/fixtures/plan_data.jsontests/fixtures/plan_demand_data.jsontests/fixtures/plan_tier_data.jsontests/fixtures/rate_limit.jsontests/fixtures/sell_rate.jsontests/test_init.pytox.ini
💤 Files with no reviewable changes (2)
- pylintrc
- setup.py
✅ Files skipped from review due to trivial changes (12)
- requirements.txt
- README.md
- tests/fixtures/sell_rate.json
- tests/fixtures/plan_data.json
- tests/fixtures/rate_limit.json
- .vscode/settings.json
- tests/fixtures/lookup_radius.json
- tests/fixtures/plan_tier_data.json
- tests/fixtures/lookup.json
- tests/conftest.py
- tests/fixtures/api_error.json
- tests/fixtures/plan_demand_data.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request modernizes and hardens the GitHub Actions workflows and package configurations in the repository, adds Python 3.14 testing support, migrates setup.py to pyproject.toml, and updates documentation.
Changes:
CI/CD Hardening & Dependabot:
github-actionspackage ecosystem todependabot.ymlto track updates to pinned action SHAs.codeql-analysis.yml) in favor of default GitHub code scanning.test.yml,publish-to-pypi.yml, andrelease-drafter.ymlto their specific commit SHAs (e.g.checkout@v4.3.1,setup-python@v5.6.0,upload-artifact@v4.6.2,download-artifact@v4.3.0,codecov-action@v6.0.1,release-drafter@v7.3.0, andgh-action-pypi-publish@v1.14.0).contents: readon test/publish workflows,id-token: writeon PyPI publish workflow for OIDC Trusted Publishing,contents: write/pull-requests: writeon release-drafter).test.ymlwhere a checkout parameter (fetch-depth) was being passed.Python 3.14 Integration:
test.ymlmatrix to target Python3.14.py314totox.inienvlist and mapped Python3.14to run tests, lint, and mypy in[gh-actions].3.11through3.14classifiers to packaging metadata.Modernized Packaging:
setup.pyto modern PEP 621 declarative metadata inpyproject.tomlusingsetuptoolsbuild-backend.publish-to-pypi.ymlpackage build command to use modernpython3 -m buildinstead of deprecatedpython3 setup.py sdist bdist_wheel.Documentation:
README.mdto document all features, installation, lookup examples, quick start script, and a detailed API reference for properties and methods.Summary by CodeRabbit
Documentation
Chores
Tooling
Tests