add Python CI quality gates, sign release tags, and bump to v0.6.2#38
Merged
Conversation
shellcheck gated the shell scripts, but the primary language (Python) had no linter, security scanner, or coverage in CI, and the ASCII-only / no-em-dash constraint went unenforced (the byte-class grep in CONTRIBUTING never matched em-dashes). This adds four CI jobs and tightens release hygiene. - ruff: ruff check lib tests bench. - bandit: bandit -c pyproject.toml -r lib; skips mirror the accepted ruff S ignores, with one fixed-URL urlopen suppressed inline via nosec B310. - coverage: statement coverage gated at 65% (Silver target 80%), measuring the subprocess-run hooks and daemon via COVERAGE_PROCESS_START plus coverage combine (an in-process run undercounts at 59% against the true 67%). - ascii: git grep over tracked files, excluding the three intentional unicode test fixtures; swept pre-existing em-dashes out of lib, docs, and bench. Release tags are now GPG-signed (git tag -s, user.signingkey set). Also adds a test-policy statement, a README bug-reporting pointer, and bandit plus coverage to the dev group. Bumps to v0.6.2 and realigns lib/__init__.py (it had drifted to 0.6.0). Closes the OpenSSF passing-badge gaps (static_analysis, warnings, test_policy) and pre-stages the Silver test_statement_coverage80 and signed_releases items. No runtime behavior change.
pzverkov
force-pushed
the
ci/python-static-analysis
branch
from
c196d42 to
0a2be6a
Compare
pzverkov
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the Python static-analysis gap in CI:
shellchecklinted the shell scripts, but nothing linted, security-scanned, or coverage-measured the primary language (Python). Addsruff,bandit,coverage, andasciiCI jobs, signs release tags, and bumps the version to v0.6.2.What changed
CI jobs (
.github/workflows/ci.yml)ruff- runsruff check lib tests bench.bandit- runsbandit -c pyproject.toml -r lib;[tool.bandit]skips mirror the already-accepted ruffSignores. The one Medium finding (a fixed-URLurlopeninupdate_check.py) is suppressed inline with# nosec B310, not globally.coverage- statement coverage gated at 65% (Silver target is 80%). The hooks and daemon run as subprocesses, so the job sets upCOVERAGE_PROCESS_START+ a.pthandcoverage combineto measure them (an in-process run undercounts: it read 59% while the true figure is 67%).ascii-git grep -P '[^\x00-\x7F]'excluding the three intentional unicode test fixtures.ASCII sweep
lib/_common.py,lib/doctor.py,lib/hook_session_start.py,lib/update_check.py,docs/positioning.md, andbench/HISTORY.md(plus->/xfor the arrow and multiplication glyphs in HISTORY). The byte-class grep documented in CONTRIBUTING never actually matched em-dashes; corrected that note to the reliable[^\x00-\x7F]form.Release hygiene
user.signingkey, and the CONTRIBUTING release flow usesgit tag -s(with the GitHub "Verified" prerequisites noted). Pre-stages the Silversigned_releasesitem.release.ymlis unchanged - it only reacts to a pushed tag.Docs / config
banditandcoverageadded to the dev dependency group; bandit added to the local pre-PR checks, coverage reproduction documented.Version
.claude-plugin/plugin.jsonandlib/__init__.py(the latter had drifted to 0.6.0), with a CHANGELOG entry and regeneratedMANIFEST.lock.Together these close the remaining OpenSSF Best Practices passing-badge gaps (
static_analysis,warnings,test_policy) and pre-stage two Silver items (test_statement_coverage80,signed_releases). The badge itself is a separate maintainer registration step.No runtime behavior change: the only
libedits are comments/docstrings, onenosec, and the version string.