chore: refresh action version pins (2026-04-08 audit)#2
Merged
Conversation
Add all template components: reusable Python QA workflow, check scripts, reference configs, sync mechanism, setup action, and test suite. Includes audit fixes from 2026-04-07: - Add PT (flake8-pytest-style) to ruff select in pyproject.toml - Add tests to ruff src paths in pyproject.toml - Add concurrency group to template-ci.yml - Add pip ecosystem to dependabot.yml - Fix line-length violation in test_scripts.py
- Remove unused `os` import from qa.py - Extract unicode escape from f-string expression (Python 3.11 compat) - Use set comprehension instead of set() call in qa.py - Use unpacking instead of list concatenation in qa.py - Split long line in check_package.py to stay under 120 chars - Add [build-system] and [tool.setuptools] packages=[] to pyproject.toml to prevent setuptools auto-discovering actions/ and reference/ dirs - Add .markdownlint-cli2.jsonc at repo root (was only in reference/)
- Add type arguments to dict return types (mypy strict) - Split long line in check_package.py differently to fit 120 chars - Use setuptools.build_meta instead of legacy backend for editable install
- Apply ruff format to qa.py - Add typing.Any import and use dict[str, Any] for pyproject return types - Add pythonpath=["src"] to smoke project pytest config for src-layout import resolution without requiring package installation - Add pythonpath=["src"] to reference pyproject.toml as best practice - Use setuptools.build_meta in smoke project conftest (same as template) - Change --cov=smoke_project to --cov=src for consistency
- Fix smoke CLI to accept argv parameter, preventing sys.argv bleed from pytest into argparse during test_main_runs - Add build, twine, validate-pyproject, pip-audit to template dev deps so check_package and check_security scripts can find their tools during smoke tests
- Remove if __name__ block from smoke CLI to bring coverage above 90% - Add README.md and readme field to smoke project for twine --strict
check_package.py now uses shutil.which() to verify entry points are installed before attempting to run them. This prevents failures when the package is validated without being pip-installed.
Replace Unicode box-drawing character (U+2500) with plain ASCII dash to avoid UnicodeEncodeError on Windows default console encoding.
Switch both root and reference .gitignore to the org-standard allowlist model (** deny-all, explicit tracked roots). Align .gitattributes with comment-rich, purpose-grouped format and add explicit normalization for ignore/attribute files themselves.
…ADME Update PLAN.md resolved decisions, required baseline, reference-only starters, and repo-owned sections to reflect the standardized allowlist gitignore and comment-rich gitattributes baselines. Add Git Hygiene Standard section and updated quick start to README.
Restrict all jobs to contents:read by default. The dependency-review job retains its own permissions block for pull-requests:read.
The conventional location for repo-internal composite actions is .github/actions/, not a top-level actions/ directory. Update all references in template-ci.yml, .gitignore, PLAN.md, and README.md.
…0.0) - Update actions/setup-python version comment to v6.2.0 (same SHA, tag moved without code change) - Update actions/dependency-review-action comment to v4.9.0 (same SHA) - Update astral-sh/setup-uv from v7 to v8.0.0 with new SHA; v8 breaking changes (removed deprecated manifest format, stopped publishing major tags) do not affect this repo's usage pattern
- Add .github/scripts/ seeded from scripts/ — template-ci.yml now runs quality gates from these released copies instead of the development source - Add auto-release.yml: auto-creates a patch release when scripts/ changes land on main - Add self-update.yml: nightly check downloads released scripts into .github/scripts/ and opens a PR when a new release is detected - Update template-ci.yml and composite action to reference .github/scripts/ - Document the dogfooding model in PLAN.md This ensures the template validates itself with the same artifacts it ships to downstream repos, catching regressions before they propagate.
- Make setup.sh/setup.ps1 accept PROJECT_ROOT env var override so they work when called from .github/scripts/ (two levels deep instead of one) - Pass PROJECT_ROOT=$GITHUB_WORKSPACE in composite action - Fix self-update.yml YAML syntax error (heredoc inside run block)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/scripts/(released copies) instead ofscripts/(development source)Action pin updates
actions/setup-python: version comment updated to v6.2.0 (same SHA)actions/dependency-review-action: version comment updated to v4.9.0 (same SHA)astral-sh/setup-uv: SHA updated from v7 to v8.0.0Dogfooding infrastructure
.github/scripts/: Seeded from currentscripts/— these are the scripts template-ci.yml usesauto-release.yml: Auto-creates a patch release whenscripts/changes land on mainself-update.yml: Nightly check downloads released scripts into.github/scripts/and opens a PRtemplate-ci.ymland composite action: Updated to reference.github/scripts/How the dogfood loop works
scripts/→ merges to mainauto-release.ymlcreates a new patch releaseself-update.ymldetects the release → downloads scripts to.github/scripts/→ opens PRThis ensures the template validates itself with the same artifacts it ships to downstream repos.
What remains blocked
dependency-review-actionNode.js 20 deprecation (no newer SHA available)sync-downstream.ymlUNVERIFIED-LIVE-RUN-REQUIRED