Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/CONFIG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# GitHub Actions Configuration

This document describes the secrets used by the Rhiza-provided GitHub Actions workflows
(`.github/workflows/rhiza_*.yml`) and how to configure them.

## PAT_TOKEN (template sync)

The sync workflow (`.github/workflows/rhiza_sync.yml`) keeps your repository up to date with the
upstream Rhiza template. It commits the synced files directly to a branch or opens a pull request.

By default the workflow authenticates with the automatic `github.token`. That token **cannot push
changes to files under `.github/workflows/`** — GitHub rejects such pushes unless the token has the
`workflow` scope. Since template syncs regularly update workflow files, you should configure a
Personal Access Token (PAT) with that scope and store it as a repository secret named `PAT_TOKEN`.

If `PAT_TOKEN` is not configured, the workflow falls back to `github.token` and prints a warning.
Syncs that touch only non-workflow files will still succeed.

### Creating the token

**Fine-grained PAT** (recommended):

1. Go to **Settings → Developer settings → Fine-grained tokens → Generate new token**
(<https://github.com/settings/personal-access-tokens/new>).
2. Restrict **Repository access** to the repository (or repositories) using Rhiza.
3. Under **Repository permissions**, grant:
- **Contents**: Read and write
- **Workflows**: Read and write
- **Pull requests**: Read and write (needed for the scheduled sync-PR mode)
4. Generate the token and copy it.

**Classic PAT** (alternative):

1. Go to **Settings → Developer settings → Tokens (classic) → Generate new token**.
2. Select the `repo` and `workflow` scopes.
3. Generate the token and copy it.

### Storing the secret

In the repository that consumes Rhiza:

1. Go to **Settings → Secrets and variables → Actions → New repository secret**.
2. Name: `PAT_TOKEN`
3. Value: the token created above.

Or with the GitHub CLI:

```bash
gh secret set PAT_TOKEN
```

A PAT expires; when sync pushes start failing with a `refusing to allow ... workflow` error,
regenerate the token and update the secret.

## Release workflow secrets (optional)

The release workflow (`.github/workflows/rhiza_release.yml`) supports additional secrets, all
optional depending on which release features you use:

| Secret | Purpose |
| --- | --- |
| `PYPI_TOKEN` | Publish the built package to PyPI. Not needed when using trusted publishing (OIDC). |
| `GH_PAT` | Git authentication for installing private dependencies during the release build. |
| `UV_EXTRA_INDEX_URL` | Extra package index URL (with credentials) for private dependencies. |

`GITHUB_TOKEN` is provided automatically by GitHub Actions and needs no configuration.
48 changes: 48 additions & 0 deletions .github/DISCUSSION_TEMPLATE/help-wanted.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
title: "[Help Wanted] "
labels: ["help wanted"]
body:
- type: markdown
attributes:
value: |
Use this template to surface a contribution opportunity. It lets maintainers
describe work that is ready to be picked up — without opening a formal issue.

- type: input
id: area
attributes:
label: Topic / Area
description: Which part of the project does this involve?
placeholder: e.g. CI workflows, documentation, a specific bundle
validations:
required: true

- type: textarea
id: help-needed
attributes:
label: What Help Is Needed
description: Describe the task and what "done" looks like.
validations:
required: true

- type: textarea
id: getting-started
attributes:
label: Getting Started
description: Pointers to relevant files, docs, or prior discussion that help a contributor begin.
placeholder: |
- Relevant files: ...
- Related docs: ...
validations:
required: false

- type: dropdown
id: skill-level
attributes:
label: Skill Level
description: Roughly how much experience is needed to take this on?
options:
- Good first issue (beginner friendly)
- Intermediate
- Advanced
validations:
required: false
40 changes: 40 additions & 0 deletions .github/DISCUSSION_TEMPLATE/ideas.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
title: "[Idea] "
labels: ["enhancement"]
body:
- type: markdown
attributes:
value: |
Propose an idea before implementing it. This lightweight RFC process lets the
community gauge interest and shape the design before any code is written.

- type: textarea
id: idea
attributes:
label: The Idea
description: What are you proposing? Describe it clearly enough that others can react.
validations:
required: true

- type: textarea
id: motivation
attributes:
label: Motivation
description: What problem does this solve, and who benefits?
validations:
required: true

- type: textarea
id: alternatives
attributes:
label: Alternatives Considered
description: Other approaches you weighed, and why this one is preferable.
validations:
required: false

- type: textarea
id: references
attributes:
label: References
description: Links to prior art, related discussions, issues, or external resources.
validations:
required: false
2 changes: 1 addition & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ updates:
update-types:
- "patch"
- "minor"

commit-message:
prefix: "chore(deps)"
include: "scope"
Expand Down
1 change: 1 addition & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@ Closes #<!-- issue number -->
## Checklist

- [ ] Commit messages follow the [Conventional Commits](https://www.conventionalcommits.org/) format
- [ ] `CHANGELOG.md` entry added (or not needed for this change)
- [ ] Documentation updated if behaviour changed
- [ ] `make deptry` passes (no unused or missing dependencies)
47 changes: 47 additions & 0 deletions .github/rulesets/main-branch-protection.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{
"name": "main-branch-protection",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"rules": [
{ "type": "deletion" },
{ "type": "non_fast_forward" },
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": true,
"require_code_owner_review": true,
"require_last_push_approval": true,
"required_review_thread_resolution": false,
"allowed_merge_methods": ["squash", "merge", "rebase"]
}
},
{
"type": "required_status_checks",
"parameters": {
"strict_required_status_checks_policy": false,
"required_status_checks": [
{ "context": "Pre-commit hooks" },
{ "context": "validation" },
{ "context": "Check dependencies with deptry" },
{ "context": "docs-coverage" },
{ "context": "Security scanning" },
{ "context": "License compliance scan" }
]
}
}
],
"bypass_actors": [
{
"actor_type": "RepositoryRole",
"actor_id": 5,
"bypass_mode": "always"
}
]
}
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_benchmark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ on:

jobs:
benchmark:
uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v0.19.1
uses: jebel-quant/rhiza/.github/workflows/rhiza_benchmark.yml@v1.1.3
secrets: inherit
13 changes: 9 additions & 4 deletions .github/workflows/rhiza_book.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@
# It combines API documentation, test coverage reports, test results, and
# interactive notebooks into a single GitHub Pages site.
#
# Trigger: This workflow runs on every push to the main or master branch
# Trigger: This workflow runs on every push (any branch), so every commit
# validates that the book still builds. The reusable workflow deploys
# to GitHub Pages only from the repository's default branch and never
# from a fork; other branches build and upload an artifact only.
#
# Components:
# - 📓 Process Marimo notebooks
Expand All @@ -19,12 +22,14 @@ name: "(RHIZA) BOOK"
on:
push:
branches:
- main
- master
- '**'

permissions:
contents: read

jobs:
book:
uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v0.19.1
uses: jebel-quant/rhiza/.github/workflows/rhiza_book.yml@v1.1.3
secrets: inherit
permissions:
contents: read
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/rhiza_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@
# pre-commit hooks, verify documentation coverage, validate the
# project, run security scans, and check license compliance.
#
# Python version matrix source of truth:
# - Implemented in the reusable workflow called below
# - Generated from `Programming Language :: Python :: 3.x` classifiers in pyproject.toml
# - Adding/removing classifiers updates CI Python coverage automatically
#
# Trigger: On push and pull_request.

name: "(RHIZA) CI"
Expand All @@ -21,5 +26,5 @@ on:

jobs:
ci:
uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v0.19.1
uses: jebel-quant/rhiza/.github/workflows/rhiza_ci.yml@v1.1.3
secrets: inherit
10 changes: 6 additions & 4 deletions .github/workflows/rhiza_codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,6 @@
name: "(RHIZA) CODEQL"

permissions:
security-events: write
packages: read
actions: read
contents: read

on:
Expand All @@ -29,5 +26,10 @@ on:

jobs:
codeql:
uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v0.19.1
uses: jebel-quant/rhiza/.github/workflows/rhiza_codeql.yml@v1.1.3
secrets: inherit
permissions:
security-events: write # Upload CodeQL results to code scanning
packages: read
actions: read
contents: read
41 changes: 41 additions & 0 deletions .github/workflows/rhiza_fuzzing.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# This file is part of the jebel-quant/rhiza repository
# (https://github.com/jebel-quant/rhiza).
#
# Workflow: ClusterFuzzLite fuzzing
#
# Purpose: Run coverage-guided fuzzing for the repository's Python security
# parsing utilities. Pull requests run short code-change fuzzing,
# while main-branch pushes and the weekly schedule run batch fuzzing.
#
# Opt-in: fuzzing is OFF by default and very optional. Set the
# repository variable `FUZZING_ENABLED` to 'true' to run it (a
# .clusterfuzzlite/ config must also be present); otherwise the
# reusable workflow skips fuzzing (the run stays green).
#
# Thin stub: the fuzzing logic lives in the reusable workflow in
# jebel-quant/rhiza; this file only wires up the triggers.
#
# Trigger: Pull requests, pushes to main/master, weekly schedule, and manual
# dispatch.

name: "(RHIZA) FUZZING"

on:
pull_request:
branches: [ "main", "master" ]
push:
branches: [ "main", "master" ]
schedule:
- cron: '17 3 * * 6'
workflow_dispatch:

permissions:
contents: read

jobs:
fuzzing:
uses: jebel-quant/rhiza/.github/workflows/rhiza_fuzzing.yml@v1.1.3
secrets: inherit
permissions:
contents: read
security-events: write # Upload fuzzing SARIF to code scanning
2 changes: 1 addition & 1 deletion .github/workflows/rhiza_marimo.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,5 @@ on:

jobs:
marimo:
uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v0.19.1
uses: jebel-quant/rhiza/.github/workflows/rhiza_marimo.yml@v1.1.3
secrets: inherit
50 changes: 50 additions & 0 deletions .github/workflows/rhiza_mutation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# This file is part of the jebel-quant/rhiza repository
# (https://github.com/jebel-quant/rhiza).
#
# Workflow: Mutation Testing
#
# Purpose: Measure test *assertion strength* with mutmut. 100% line/branch
# coverage proves code is executed, not that a wrong result would be
# caught; surviving mutants reveal assertions that are too weak.
#
# Opt-in: mutation testing is OFF by default and very optional. Set the
# repository variable `MUTATION_ENABLED` to 'true' to run it; otherwise
# the reusable workflow skips the mutation job (the run stays green).
#
# Enforced gate (when enabled): mutation runs are required and fail when
# mutants survive (100% mutation score threshold in the reusable
# workflow).
#
# Thin stub: the mutation logic and the opt-in gate live in the
# reusable workflow in jebel-quant/rhiza; this file only wires up the
# triggers.
#
# Published mutation badge URL (when enabled):
# https://<org>.github.io/<repo>/mutation-badge.svg
#
# Trigger: Weekly schedule, manual dispatch, and pull_request so mutation
# testing is included in PR CI.

name: "(RHIZA) MUTATION"

permissions:
contents: read

on:
pull_request:
schedule:
- cron: "0 9 * * 1" # Monday 09:00 UTC (after the rhiza weekly job at 08:00)
workflow_dispatch:

jobs:
mutation:
# Opt-in gate: mutation testing is OFF by default. The job only runs when
# this repo sets the `MUTATION_ENABLED` variable to 'true'. Gating here in
# the caller keeps it optional regardless of the pinned reusable workflow.
if: ${{ vars.MUTATION_ENABLED == 'true' }}
uses: jebel-quant/rhiza/.github/workflows/rhiza_mutation.yml@v1.1.3
secrets: inherit
permissions:
contents: read
pages: write # publish-mutation-badge deploys the badge to Pages
id-token: write # publish-mutation-badge needs OIDC for the Pages deploy
Loading
Loading