chore: Sync with rhiza

.devcontainer/devcontainer.json

@@ -5,19 +5,20 @@
         "cpus": 4
     },
     "features": {
-        "ghcr.io/devcontainers/features/common-utils:2": {},
-        "ghcr.io/devcontainers/features/git:1": {},
         "ghcr.io/devcontainers/features/github-cli:1": {},
-        "ghcr.io/devcontainers/features/copilot-cli:1": {}
+        "ghcr.io/devcontainers/features/copilot-cli:1": {},
+        "ghcr.io/devcontainers/features/node:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "moby": false
+        }
     },
     "mounts": [
         "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
     ],
     "containerEnv": {
-        "SSH_AUTH_SOCK": "${localEnv:SSH_AUTH_SOCK}",
         "INSTALL_DIR": "/home/vscode/.local/bin"
     },
-    "forwardPorts": [8080],
+    "forwardPorts": [8080, 2718],
     "customizations": {
         "vscode": {
             "settings": {
@@ -43,7 +44,8 @@
                 "ms-vscode.makefile-tools",
                 // AI Assistance
                 "github.copilot-chat",
-                "github.copilot"
+                "github.copilot",
+                "anthropic.claude-code"
             ]
         }
     },

.github/actions/configure-git-auth/README.md

@@ -0,0 +1,80 @@
+# Configure Git Auth for Private Packages
+
+This composite action configures git to use token authentication for private GitHub packages.
+
+## Usage
+
+Add this step before installing dependencies that include private GitHub packages:
+
+```yaml
+- name: Configure git auth for private packages
+  uses: ./.github/actions/configure-git-auth
+  with:
+    token: ${{ secrets.GH_PAT }}
+```
+
+The `GH_PAT` secret should be a Personal Access Token with `repo` scope.
+
+## What It Does
+
+This action runs:
+
+```bash
+git config --global url."https://<token>@github.com/".insteadOf "https://github.com/"
+```
+
+This tells git to automatically inject the token into all HTTPS GitHub URLs, enabling access to private repositories.
+
+## When to Use
+
+Use this action when your project has dependencies defined in `pyproject.toml` like:
+
+```toml
+[tool.uv.sources]
+private-package = { git = "https://github.com/your-org/private-package.git", rev = "v1.0.0" }
+```
+
+## Token Requirements
+
+By default, this action will use the workflow’s built-in `GITHUB_TOKEN` (`github.token`) if no `token` input is provided or if the provided value is empty (it uses `inputs.token || github.token` internally).
+
+The `GITHUB_TOKEN` is usually sufficient when:
+
+- installing dependencies hosted in the **same repository** as the workflow, or
+- accessing **public** repositories.
+
+The default `GITHUB_TOKEN` typically does **not** have permission to read other private repositories, even within the same organization. For that scenario, you should create a Personal Access Token (PAT) with `repo` scope and store it as `secrets.GH_PAT`, then pass it to the action via the `token` input.
+
+If you configure the step as in the example (`token: ${{ secrets.GH_PAT }}`) and `secrets.GH_PAT` is not defined, GitHub Actions passes an empty string to the action. The composite action then falls back to `github.token`, so the configuration step itself still succeeds. However, any subsequent step that tries to access private repositories that are not covered by the permissions of `GITHUB_TOKEN` will fail with an authentication error.
+## Example Workflow
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest
+```
+
+## See Also
+
+- [PRIVATE_PACKAGES.md](../../../.rhiza/docs/PRIVATE_PACKAGES.md) - Complete guide to using private packages
+- [TOKEN_SETUP.md](../../../.rhiza/docs/TOKEN_SETUP.md) - Setting up Personal Access Tokens

.github/actions/configure-git-auth/action.yml

@@ -0,0 +1,21 @@
+name: 'Configure Git Auth for Private Packages'
+description: 'Configure git to use token authentication for private GitHub packages'
+
+inputs:
+  token:
+    description: 'GitHub token to use for authentication'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Configure git authentication
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token || github.token }}
+      run: |
+        # Configure git to use token authentication for GitHub URLs
+        # This allows uv/pip to install private packages from GitHub
+        git config --global url."https://${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        echo "✓ Git configured to use token authentication for GitHub"

.github/workflows/rhiza_benchmarks.yml

@@ -13,7 +13,7 @@
 #   - PRs will show a warning comment but not fail
 #   - Main branch updates the baseline for future comparisons
 
-name: (RHIZA) Benchmarks
+name: "(RHIZA) BENCHMARKS"
 
 permissions:
   contents: write
@@ -32,24 +32,28 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
         with:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.26"
-          python-version: "3.12"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: Run benchmarks
         env:
-          UV_EXTRA_INDEX_URL: ${{ secrets.uv-extra-index-url }}
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
           make benchmark
 
       - name: Upload benchmark results
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v6.0.0
         if: always()
         with:
           name: benchmark-results

.github/workflows/rhiza_book.yml

@@ -36,33 +36,38 @@ jobs:
 
     steps:
       # Check out the repository code
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.26"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: "Sync the virtual environment for ${{ github.repository }}"
         shell: bash
         env:
-          UV_EXTRA_INDEX_URL: ${{ secrets.uv-extra-index-url }}
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
           # will just use .python-version?
           uv sync --all-extras --all-groups --frozen
 
       - name: "Make the book"
         env:
-          UV_EXTRA_INDEX_URL: ${{ secrets.uv-extra-index-url }}
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
-          make -f .rhiza/rhiza.mk book
+          make book
 
       # Step 5: Package all artifacts for GitHub Pages deployment
       # This prepares the combined outputs for deployment by creating a single artifact
       - name: Upload static files as artifact
-        uses: actions/upload-pages-artifact@v4  # Official GitHub Pages artifact upload action
+        uses: actions/upload-pages-artifact@v4.0.0  # Official GitHub Pages artifact upload action
         with:
           path: _book/  # Path to the directory containing all artifacts to deploy
 
@@ -73,5 +78,5 @@ jobs:
       # If PUBLISH_COMPANION_BOOK is not set, it defaults to allowing deployment
       - name: Deploy to GitHub Pages
         if: ${{ !github.event.repository.fork && (vars.PUBLISH_COMPANION_BOOK == 'true' || vars.PUBLISH_COMPANION_BOOK == '') }}
-        uses: actions/deploy-pages@v4  # Official GitHub Pages deployment action
+        uses: actions/deploy-pages@v4.0.5  # Official GitHub Pages deployment action
         continue-on-error: true