Skip to content

Commit 67a3c49

Browse files
committed
feat: production-grade OSS foundation
- CLI: Typer/Rich entry point, working console script, JSON output fixes - Packaging: SPDX license, dependency groups (dev/security/ai/all), build isolation - CI/CD: multi-Python matrix, Ruff, Mypy, pytest, Bandit, CodeQL, OSSF Scorecard, dependency review, Dependabot, release workflow (PyPI + GitHub) - Governance: CHANGELOG, ROADMAP, GOVERNANCE, SUPPORT, RELEASE_PROCESS, QUALITY_MODEL - Security: redacted JSON output, Bandit integration, secret redaction - Provider system: OpenAI/Anthropic examples, protocol-based extension - Tests: 25 tests (12 module + 13 CLI), all passing - Docs: BEGINNER.md learning path, corrected README deps, COMMANDS/ARCHITECTURE - Logging: silent by default, verbose opt-in - Quality gates: ruff, format, mypy strict, pytest, build, twine check all pass
1 parent 360f3c3 commit 67a3c49

36 files changed

Lines changed: 1443 additions & 377 deletions

.github/dependabot.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "pip"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
open-pull-requests-limit: 5
8+
9+
- package-ecosystem: "github-actions"
10+
directory: "/"
11+
schedule:
12+
interval: "weekly"
13+
open-pull-requests-limit: 5

.github/workflows/ci.yml

Lines changed: 71 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
runs-on: ubuntu-latest
1313
strategy:
1414
matrix:
15-
python-version: ["3.10", "3.11", "3.12"]
15+
python-version: ["3.10", "3.11", "3.12", "3.13"]
1616

1717
steps:
1818
- name: Checkout Code
@@ -32,8 +32,75 @@ jobs:
3232
- name: Run Ruff Linter
3333
run: ruff check .
3434

35+
- name: Run Ruff Format Check
36+
run: ruff format --check .
37+
3538
- name: Run Mypy Type Checker
36-
run: mypy src
39+
run: |
40+
cd src
41+
mypy wintersolve
42+
43+
- name: Run Tests with Coverage
44+
run: pytest --cov=wintersolve --cov-report=xml
45+
46+
- name: Upload Coverage
47+
uses: codecov/codecov-action@v4
48+
with:
49+
files: ./coverage.xml
50+
fail_ci_if_error: false
51+
52+
security:
53+
name: Security Scan
54+
runs-on: ubuntu-latest
55+
steps:
56+
- name: Checkout Code
57+
uses: actions/checkout@v4
58+
59+
- name: Set up Python
60+
uses: actions/setup-python@v5
61+
with:
62+
python-version: "3.12"
63+
cache: "pip"
64+
65+
- name: Install Dependencies
66+
run: |
67+
python -m pip install --upgrade pip
68+
pip install -e .[security]
3769
38-
- name: Run Tests
39-
run: pytest
70+
- name: Run Bandit Security Scan
71+
run: bandit -r src/wintersolve -f json -o bandit-report.json || true
72+
73+
- name: Upload Bandit Report
74+
uses: actions/upload-artifact@v4
75+
with:
76+
name: bandit-report
77+
path: bandit-report.json
78+
79+
build:
80+
name: Build Package
81+
runs-on: ubuntu-latest
82+
steps:
83+
- name: Checkout Code
84+
uses: actions/checkout@v4
85+
86+
- name: Set up Python
87+
uses: actions/setup-python@v5
88+
with:
89+
python-version: "3.12"
90+
91+
- name: Install Build Dependencies
92+
run: |
93+
python -m pip install --upgrade pip
94+
pip install build twine
95+
96+
- name: Build Package
97+
run: python -m build
98+
99+
- name: Check Distribution
100+
run: python -m twine check dist/*
101+
102+
- name: Upload Distribution Artifacts
103+
uses: actions/upload-artifact@v4
104+
with:
105+
name: dist
106+
path: dist/

.github/workflows/codeql.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["main"]
8+
schedule:
9+
- cron: "22 4 * * 1"
10+
11+
permissions:
12+
contents: read
13+
security-events: write
14+
15+
jobs:
16+
analyze:
17+
name: Analyze Python
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Checkout code
21+
uses: actions/checkout@v4
22+
23+
- name: Initialize CodeQL
24+
uses: github/codeql-action/init@v3
25+
with:
26+
languages: python
27+
28+
- name: Perform CodeQL Analysis
29+
uses: github/codeql-action/analyze@v3
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
name: Dependency Review
2+
3+
on:
4+
pull_request:
5+
branches: ["main"]
6+
7+
permissions:
8+
contents: read
9+
pull-requests: read
10+
11+
jobs:
12+
dependency-review:
13+
name: Dependency Review
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Checkout code
17+
uses: actions/checkout@v4
18+
19+
- name: Review dependencies
20+
uses: actions/dependency-review-action@v4

.github/workflows/release.yml

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
name: Release
2+
3+
on:
4+
push:
5+
tags:
6+
- 'v*'
7+
8+
permissions:
9+
contents: read
10+
id-token: write
11+
12+
jobs:
13+
build:
14+
name: Build distribution
15+
runs-on: ubuntu-latest
16+
steps:
17+
- name: Checkout code
18+
uses: actions/checkout@v4
19+
20+
- name: Set up Python
21+
uses: actions/setup-python@v5
22+
with:
23+
python-version: "3.12"
24+
25+
- name: Install build dependencies
26+
run: |
27+
python -m pip install --upgrade pip
28+
pip install build twine
29+
30+
- name: Build package
31+
run: python -m build
32+
33+
- name: Check distribution
34+
run: python -m twine check dist/*
35+
36+
- name: Upload artifacts
37+
uses: actions/upload-artifact@v4
38+
with:
39+
name: dist
40+
path: dist/
41+
42+
publish:
43+
name: Publish to PyPI
44+
needs: build
45+
runs-on: ubuntu-latest
46+
environment: release
47+
steps:
48+
- name: Download artifacts
49+
uses: actions/download-artifact@v4
50+
with:
51+
name: dist
52+
path: dist/
53+
54+
- name: Publish to PyPI
55+
uses: pypa/gh-action-pypi-publish@release/v1
56+
57+
github-release:
58+
name: Create GitHub Release
59+
needs: publish
60+
runs-on: ubuntu-latest
61+
permissions:
62+
contents: write
63+
steps:
64+
- name: Download artifacts
65+
uses: actions/download-artifact@v4
66+
with:
67+
name: dist
68+
path: dist/
69+
70+
- name: Create Release
71+
uses: softprops/action-gh-release@v2
72+
with:
73+
files: dist/*
74+
generate_release_notes: true

.github/workflows/scorecard.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: OSSF Scorecard
2+
3+
on:
4+
branch_protection_rule:
5+
schedule:
6+
- cron: "30 5 * * 1"
7+
push:
8+
branches: ["main"]
9+
10+
permissions:
11+
contents: read
12+
security-events: write
13+
id-token: write
14+
15+
jobs:
16+
scorecard:
17+
name: Scorecard analysis
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Checkout code
21+
uses: actions/checkout@v4
22+
with:
23+
persist-credentials: false
24+
25+
- name: Run Scorecard
26+
uses: ossf/scorecard-action@v2.4.0
27+
with:
28+
results_file: scorecard-results.sarif
29+
results_format: sarif
30+
publish_results: true
31+
32+
- name: Upload SARIF results
33+
uses: github/codeql-action/upload-sarif@v3
34+
with:
35+
sarif_file: scorecard-results.sarif

.pre-commit-config.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
repos:
2+
- repo: https://github.com/astral-sh/ruff-pre-commit
3+
rev: v0.6.0
4+
hooks:
5+
- id: ruff
6+
args: [--fix, --exit-non-zero-on-fix]
7+
- id: ruff-format
8+
9+
- repo: https://github.com/pre-commit/mirrors-mypy
10+
rev: v1.11.0
11+
hooks:
12+
- id: mypy
13+
additional_dependencies: [types-requests]
14+
15+
- repo: https://github.com/PyCQA/bandit
16+
rev: 1.7.7
17+
hooks:
18+
- id: bandit
19+
args: [-r, src/wintersolve, -f, json, -o, bandit-report.json]
20+
21+
- repo: https://github.com/pre-commit/pre-commit-hooks
22+
rev: v4.6.0
23+
hooks:
24+
- id: trailing-whitespace
25+
- id: end-of-file-fixer
26+
- id: check-yaml
27+
- id: check-toml
28+
- id: check-json
29+
- id: check-added-large-files
30+
- id: check-merge-conflict
31+
- id: debug-logger
32+
- id: detect-private-key

0 commit comments

Comments
 (0)