diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64b62cd..5ee0fe9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,3 +17,15 @@ updates: - "*" schedule: interval: weekly + + - package-ecosystem: pre-commit + cooldown: + default-days: 7 + directories: + - "{{cookiecutter.project_slug}}" + groups: + pre-commit: + patterns: + - "*" + schedule: + interval: weekly diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 75f799e..432d482 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -39,8 +39,10 @@ jobs: git diff --exit-code || { >&2 echo "please format"; exit 1; } + uv run prek run --all-files make lint make test + make audit make build make doc cd .. && rm -rf /tmp/python-project @@ -57,8 +59,10 @@ jobs: git diff --exit-code || { >&2 echo "please format"; exit 1; } + uv run prek run --all-files make lint make test + make audit make build make doc cd .. && rm -rf /tmp/python-project @@ -75,8 +79,10 @@ jobs: git diff --exit-code || { >&2 echo "please format"; exit 1; } + uv run prek run --all-files make lint make test + make audit make build make doc cd .. && rm -rf /tmp/tob-r-and-e-python-project @@ -93,8 +99,10 @@ jobs: git diff --exit-code || { >&2 echo "please format"; exit 1; } + uv run prek run --all-files make lint make test + make audit make build make doc cd .. && rm -rf /tmp/bit-trails @@ -112,8 +120,10 @@ jobs: git diff --exit-code || { >&2 echo "please format"; exit 1; } + uv run prek run --all-files make lint make test + make audit make build make doc cd .. && rm -rf /tmp/python-project diff --git a/{{cookiecutter.project_slug}}/.github/dependabot.yml b/{{cookiecutter.project_slug}}/.github/dependabot.yml index 043ccaa..5fdc03d 100644 --- a/{{cookiecutter.project_slug}}/.github/dependabot.yml +++ b/{{cookiecutter.project_slug}}/.github/dependabot.yml @@ -22,3 +22,15 @@ updates: - "*" schedule: interval: daily + + - package-ecosystem: pre-commit + cooldown: + default-days: 7 + directories: + - / + groups: + pre-commit: + patterns: + - "*" + schedule: + interval: daily diff --git a/{{cookiecutter.project_slug}}/.github/workflows/tests.yml b/{{cookiecutter.project_slug}}/.github/workflows/tests.yml index 3e6dd62..873094f 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/tests.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/tests.yml @@ -13,7 +13,6 @@ jobs: strategy: matrix: python: - - "3.10" - "3.11" - "3.12" - "3.13" diff --git a/{{cookiecutter.project_slug}}/.pre-commit-config.yaml b/{{cookiecutter.project_slug}}/.pre-commit-config.yaml index 2defcdc..d1900ca 100644 --- a/{{cookiecutter.project_slug}}/.pre-commit-config.yaml +++ b/{{cookiecutter.project_slug}}/.pre-commit-config.yaml @@ -1,5 +1,8 @@ # Pre-commit hooks for code quality # Uses prek (https://github.com/j178/prek) - a faster pre-commit alternative +default_language_version: + python: python3.11 + repos: - repo: builtin hooks: @@ -10,6 +13,26 @@ repos: - id: check-merge-conflict - id: detect-private-key + # Shell script linting + - repo: https://github.com/koalaman/shellcheck-precommit + rev: 99470f5e12208ff0fb17ab81c3c494f7620a1d8d # frozen: v0.11.0 + hooks: + - id: shellcheck + args: [--severity=error] + + # GitHub Actions linting + - repo: https://github.com/rhysd/actionlint + rev: 0933c147c9d6587653d45fdcb4c497c57a65f9af # frozen: v1.7.10 + hooks: + - id: actionlint + + # GitHub Actions security audit + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f # frozen: v1.22.0 + hooks: + - id: zizmor + args: [--persona=regular, --min-severity=medium, --min-confidence=medium] + - repo: local hooks: - id: format diff --git a/{{cookiecutter.project_slug}}/Makefile b/{{cookiecutter.project_slug}}/Makefile index 28f0ce2..2ec2b42 100644 --- a/{{cookiecutter.project_slug}}/Makefile +++ b/{{cookiecutter.project_slug}}/Makefile @@ -52,6 +52,11 @@ test: uv run pytest -svv --timeout=300 --cov=$(PY_IMPORT) $(T) $(TEST_ARGS) uv run coverage report -m $(COV_ARGS) +.PHONY: audit +audit: + uv sync --group audit + uv run pip-audit . + .PHONY: doc {%- if cookiecutter.documentation == 'pdoc' %} doc: diff --git a/{{cookiecutter.project_slug}}/pyproject.toml b/{{cookiecutter.project_slug}}/pyproject.toml index d287159..b29a0d5 100644 --- a/{{cookiecutter.project_slug}}/pyproject.toml +++ b/{{cookiecutter.project_slug}}/pyproject.toml @@ -19,7 +19,7 @@ classifiers = [ "Programming Language :: Python :: 3", ] dependencies = [] -requires-python = ">=3.10" +requires-python = ">=3.11" [build-system] requires = ["uv_build>=0.9.0,<0.10.0"] @@ -41,10 +41,12 @@ lint = [ "interrogate", {%- endif %} ] +audit = ["pip-audit"] dev = [ {include-group = "doc"}, {include-group = "test"}, {include-group = "lint"}, + {include-group = "audit"}, "prek", ] @@ -60,25 +62,35 @@ Issues = "https://github.com/{{ cookiecutter.github_username }}/{{ cookiecutter. Source = "https://github.com/{{ cookiecutter.github_username }}/{{ cookiecutter.project_slug }}" [tool.coverage.run] +branch = true # don't attempt code coverage for the CLI entrypoints omit = ["{{ cookiecutter.__project_src_path }}/_cli.py"] +[tool.coverage.report] +exclude_lines = [ + "pragma: no cover", + "if TYPE_CHECKING:", + "if __name__ == .__main__.:", +] + [tool.ty.terminal] error-on-warning = true [tool.ty.environment] -python-version = "3.10" +python-version = "3.11" [tool.ty.src] include = ["src", "test"] [tool.ruff] line-length = 100 -target-version = "py310" +target-version = "py311" +src = ["src"] [tool.ruff.format] line-ending = "lf" quote-style = "double" +docstring-code-format = true [tool.ruff.lint] select = ["ALL"]