Open
Conversation
…5.8 (#922) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Thomas Schmelzer <thomas.schmelzer@gmail.com>
#925) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Thomas Schmelzer <thomas.schmelzer@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…a to v0.37.1 (#923) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* Update uv version and CI configuration for multiple OS Updated the version of 'uv' to 0.11.2 and modified the CI configuration to support multiple OS environments. Signed-off-by: Thomas Schmelzer <thomas.schmelzer@gmail.com> * ci: add windows-latest to test matrix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: Thomas Schmelzer <thomas.schmelzer@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Initial plan * feat: exclude recipe/meta.yaml from check-yaml pre-commit hook Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/8878e3cd-5e8f-4fa3-900d-f982d2b10c1e Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tschm <2046079+tschm@users.noreply.github.com>
* Initial plan * feat: add rhiza_link_check.yml workflow for README link validation Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/6368d0b0-6f68-44fd-98b5-69ec6e3c05ce * fix: override security target to ignore CVE-2026-4539 (pygments, no fix available) Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/e4ab7930-2fd3-476d-921b-51925a0a5644 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> Co-authored-by: Thomas Schmelzer <thomas.schmelzer@gmail.com>
Signed-off-by: Thomas Schmelzer <thomas.schmelzer@gmail.com>
…scanning (#914) * Initial plan * feat: add license make target to quality.mk for license compliance scanning Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/bdf9ab08-8cb0-4fbd-8650-c27028fe69af Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> Co-authored-by: Thomas Schmelzer <thomas.schmelzer@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR prepares the 0.8.17 release by updating the repo’s tooling versions and CI workflows, expanding CI to multiple OSes, and adding a scheduled README link-check workflow.
Changes:
- Bump
uv(and related pre-commit tool versions) across CI/workflows and hooks. - Expand CI test matrix to run on Ubuntu/macOS/Windows and tighten coverage upload conditions.
- Add a new README link-check workflow (Lychee) and add a
make securityoverride to ignore a specific CVE.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
Makefile |
Adds a repo-owned security target overriding template behavior to ignore CVE-2026-4539 during pip-audit. |
.rhiza/tests/integration/test_marimushka.py |
Removes the marimushka integration test file. |
.pre-commit-config.yaml |
Updates ruff/check-jsonschema/uv hook revisions and excludes recipe/meta.yaml from check-yaml. |
.github/workflows/rhiza_validate.yml |
Bumps uv version used in validation workflow. |
.github/workflows/rhiza_typecheck.yml |
Bumps uv version used in typecheck workflow. |
.github/workflows/rhiza_semgrep.yml |
Bumps uv version used in Semgrep workflow. |
.github/workflows/rhiza_security.yml |
Bumps uv version used in security workflow (which runs make security). |
.github/workflows/rhiza_release.yml |
Bumps uv version used in release workflow. |
.github/workflows/rhiza_pip_audit.yml |
Bumps uv version used in the weekly pip-audit workflow. |
.github/workflows/rhiza_marimo.yml |
Bumps uv version used in marimo workflow. |
.github/workflows/rhiza_link_check.yml |
Adds new Lychee-based workflow to validate README.md links on push/PR/schedule. |
.github/workflows/rhiza_license.yml |
Bumps uv version used in license workflow. |
.github/workflows/rhiza_deptry.yml |
Bumps uv version used in deptry workflow. |
.github/workflows/rhiza_dep_compat_test.yml |
Bumps uv version used in dependency-compat workflow. |
.github/workflows/rhiza_ci.yml |
Bumps uv and expands test job to an OS matrix (Ubuntu/macOS/Windows). |
.github/workflows/rhiza_book.yml |
Bumps uv and updates actions/deploy-pages version. |
.github/workflows/rhiza_benchmarks.yml |
Bumps uv version used in benchmarks workflow. |
.github/workflows/copilot-setup-steps.yml |
Bumps uv version used in Copilot setup workflow. |
Makefile
Outdated
Comment on lines
+23
to
+29
| # Override pip-audit to ignore CVE-2026-4539 (pygments ReDoS, no fix available yet) | ||
| .PHONY: security | ||
| security: install ## run security scans (pip-audit and bandit) | ||
| @printf "${BLUE}[INFO] Running pip-audit for dependency vulnerabilities...${RESET}\n" | ||
| @${UVX_BIN} pip-audit --ignore-vuln CVE-2026-4539 | ||
| @printf "${BLUE}[INFO] Running bandit security scan...${RESET}\n" | ||
| @${UVX_BIN} bandit -r ${SOURCE_FOLDER} -ll -q -c pyproject.toml |
There was a problem hiding this comment.
This redefines the existing security target that already comes from .rhiza/make.d/test.mk, which will cause GNU Make “overriding recipe for target 'security'” warnings and makes it unclear which implementation is authoritative. Prefer updating the upstream security recipe to accept an ignore list (e.g., via a variable like PIP_AUDIT_ARGS) rather than overriding the whole target in the repo-owned Makefile.
| strategy: | ||
| matrix: | ||
| python-version: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} | ||
| os: [ubuntu-latest, macos-latest, windows-latest] |
There was a problem hiding this comment.
The test job now runs on windows-latest, but the workflow still runs make test with the default shell (PowerShell on Windows). This will likely fail because make and the Makefile recipes assume a POSIX shell/tools (sh, rm, find, etc.). Consider setting defaults.run.shell: bash for the job and installing a GNU make + coreutils environment on Windows (e.g., via MSYS2), or excluding Windows until the toolchain is provisioned.
Suggested change
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| os: [ubuntu-latest, macos-latest] |
| version: "0.11.2" | ||
|
|
||
| - name: Run pip-audit | ||
| run: uvx pip-audit |
There was a problem hiding this comment.
make security now ignores CVE-2026-4539 due to no available fix, but this scheduled workflow still runs uvx pip-audit without that ignore. That will keep the weekly job failing/noisy until the CVE is resolved. Align this workflow with the Makefile (add --ignore-vuln CVE-2026-4539, or invoke a dedicated Make target that applies the ignore list).
Suggested change
| run: uvx pip-audit | |
| run: uvx pip-audit --ignore-vuln CVE-2026-4539 |
|
|
||
| on: | ||
| push: | ||
| branches: [main] |
There was a problem hiding this comment.
This workflow’s push trigger is limited to branches: [main], but other Rhiza workflows consistently support both main and master (e.g., .github/workflows/rhiza_validate.yml:7-10, .github/workflows/rhiza_ci.yml:17-20). Consider changing this to branches: [ main, master ] for consistency and compatibility with repos still using master.
Suggested change
| branches: [main] | |
| branches: [ main, master ] |
* refactor: move .semgrep.yml to .rhiza/semgrep.yml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add paper, presentations, and devcontainer docs from main Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: delete REPOSITORY_ANALYSIS.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * refactor: consolidate CI workflows from main Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: sync .pre-commit-config.yaml and GitLab CI from origin/main Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: remove deprecated `.claude/plan.md` and `.claude/quality.md` files * chore: sync .gitlab/README.md from origin/main Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Chore: bump version 0.8.17 → 0.8.18 * chore: update template-bundles.yml to replace deprecated workflows wi… (#959) * chore: update template-bundles.yml to replace deprecated workflows with `rhiza_quality.yml` * chore: simplify CI trigger by removing branch restrictions * chore: remove branch restrictions from GitHub Actions triggers * fix: update broken markdown links to correct file paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * paper.mk * chore: remove `--exclude-mail` flag from link checker configuration * chore: remove branch restrictions from `rhiza_validate.yml` trigger * chore: update `.rhiza/template-bundles.yml` to replace outdated workflow references with `.rhiza/semgrep.yml` * chore: remove `rhiza_pip_audit.yml` from template-bundles.yml * chore: remove `rhiza_security.yml` from template-bundles.yml * chore: remove event-based restrictions from `rhiza_validate.yml` triggers * chore: consolidate `license` and `semgrep` checks into `rhiza_validate.yml` and remove standalone workflows * feat: add GitLab CI workflows for link checking and paper compilation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Chore: bump version 0.8.18 → 0.8.19 --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary