feat: add template infrastructure (2026-04-07 audit)#1
Closed
NWarila wants to merge 15 commits into
Closed
Conversation
Add all template components: reusable Python QA workflow, check scripts, reference configs, sync mechanism, setup action, and test suite. Includes audit fixes from 2026-04-07: - Add PT (flake8-pytest-style) to ruff select in pyproject.toml - Add tests to ruff src paths in pyproject.toml - Add concurrency group to template-ci.yml - Add pip ecosystem to dependabot.yml - Fix line-length violation in test_scripts.py
- Remove unused `os` import from qa.py - Extract unicode escape from f-string expression (Python 3.11 compat) - Use set comprehension instead of set() call in qa.py - Use unpacking instead of list concatenation in qa.py - Split long line in check_package.py to stay under 120 chars - Add [build-system] and [tool.setuptools] packages=[] to pyproject.toml to prevent setuptools auto-discovering actions/ and reference/ dirs - Add .markdownlint-cli2.jsonc at repo root (was only in reference/)
- Add type arguments to dict return types (mypy strict) - Split long line in check_package.py differently to fit 120 chars - Use setuptools.build_meta instead of legacy backend for editable install
- Apply ruff format to qa.py - Add typing.Any import and use dict[str, Any] for pyproject return types - Add pythonpath=["src"] to smoke project pytest config for src-layout import resolution without requiring package installation - Add pythonpath=["src"] to reference pyproject.toml as best practice - Use setuptools.build_meta in smoke project conftest (same as template) - Change --cov=smoke_project to --cov=src for consistency
- Fix smoke CLI to accept argv parameter, preventing sys.argv bleed from pytest into argparse during test_main_runs - Add build, twine, validate-pyproject, pip-audit to template dev deps so check_package and check_security scripts can find their tools during smoke tests
- Remove if __name__ block from smoke CLI to bring coverage above 90% - Add README.md and readme field to smoke project for twine --strict
check_package.py now uses shutil.which() to verify entry points are installed before attempting to run them. This prevents failures when the package is validated without being pip-installed.
Replace Unicode box-drawing character (U+2500) with plain ASCII dash to avoid UnicodeEncodeError on Windows default console encoding.
NWarila
force-pushed
the
2026-04-07_Daily-Audit
branch
from
b4189e4 to
fd2e2f4
Compare
Switch both root and reference .gitignore to the org-standard allowlist model (** deny-all, explicit tracked roots). Align .gitattributes with comment-rich, purpose-grouped format and add explicit normalization for ignore/attribute files themselves.
…ADME Update PLAN.md resolved decisions, required baseline, reference-only starters, and repo-owned sections to reflect the standardized allowlist gitignore and comment-rich gitattributes baselines. Add Git Hygiene Standard section and updated quick start to README.
Restrict all jobs to contents:read by default. The dependency-review job retains its own permissions block for pull-requests:read.
The conventional location for repo-internal composite actions is .github/actions/, not a top-level actions/ directory. Update all references in template-ci.yml, .gitignore, PLAN.md, and README.md.
Owner
Author
|
Superseded by #2, which contains all commits from this branch plus the 2026-04-08 audit follow-up work. |
NWarila
added a commit
that referenced
this pull request
Apr 8, 2026
## Summary - Refresh third-party action SHA pins and version comments - **Add self-dogfooding model**: template-ci.yml now runs quality gates from `.github/scripts/` (released copies) instead of `scripts/` (development source) ### Action pin updates - `actions/setup-python`: version comment updated to v6.2.0 (same SHA) - `actions/dependency-review-action`: version comment updated to v4.9.0 (same SHA) - `astral-sh/setup-uv`: SHA updated from v7 to v8.0.0 ### Dogfooding infrastructure - **`.github/scripts/`**: Seeded from current `scripts/` — these are the scripts template-ci.yml uses - **`auto-release.yml`**: Auto-creates a patch release when `scripts/` changes land on main - **`self-update.yml`**: Nightly check downloads released scripts into `.github/scripts/` and opens a PR - **`template-ci.yml`** and **composite action**: Updated to reference `.github/scripts/` - **PLAN.md**: Documents the dogfooding architecture ### How the dogfood loop works 1. Developer changes `scripts/` → merges to main 2. `auto-release.yml` creates a new patch release 3. Nightly `self-update.yml` detects the release → downloads scripts to `.github/scripts/` → opens PR 4. CI on that PR runs the NEW scripts against the repo 5. If green, merge updates the dogfood scripts This ensures the template validates itself with the same artifacts it ships to downstream repos. ## What remains blocked - PR #1 requires human review to merge - `dependency-review-action` Node.js 20 deprecation (no newer SHA available) - `sync-downstream.yml` UNVERIFIED-LIVE-RUN-REQUIRED
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
python-qa.yml), 6 check scripts,qa.pyorchestrator, cross-platform setup scripts, reference configs, sync mechanism, composite setup action, and test suite.gitignoreand.gitattributesto org-standard allowlist model aligned withnwarila/.githubtemplate-ci.ymlwith top-level least-privilege permissionsChanges in this update
Git hygiene standardization
.gitignoreswitch to**deny-all with explicit allowlisting (matching org DESIGN.md).gitattributesgain comment-rich grouping,.gitignore/.gitattributesself-normalization, and consistent orderingSecurity hardening
template-ci.ymlgainspermissions: { contents: read }at top level for least-privilege defaultsAudit coverage
All 13 Template CI checks passed on the prior push. This update adds 3 commits for gitignore/gitattributes standardization, documentation, and permissions hardening.
What remains blocked
actions/dependency-review-actionemits Node.js 20 deprecation warning (no newer version available)