Skip to content

ci: update GitHub Actions and add Dependabot #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stefan-jansen merged 2 commits into from
Apr 30, 2026
Merged

ci: update GitHub Actions and add Dependabot #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f30bc61
ci: update GitHub Actions and add Dependabot
stefan-jansen Apr 30, 2026
0485a72
style: fix existing ruff format drift
stefan-jansen Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
version: 2
updates:
- package-ecosystem: "github-actions"
Comment on lines +1 to +3

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions updating codecov/codecov-action “where used”, but there’s no workflow/config in this repo referencing that action (searching the repo turns up no matches). Please either remove that bullet from the PR description or include the missing change if it was intended.

Copilot uses AI. Check for mistakes.
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
timezone: "America/New_York"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "ci"
groups:
github-actions:
patterns:
- "*"

- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:15"
timezone: "America/New_York"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "python"
commit-message:
prefix: "deps"
groups:
python-dependencies:
patterns:
- "*"
Comment on lines +20 to +37

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot's "pip" ecosystem can update pyproject.toml, but it will not update the committed uv.lock, which can lead to PRs that change version constraints without updating the lockfile (and potentially to CI resolving different deps than what’s committed). Consider either disabling the pip updater, or adding automation/CI checks that regenerate & commit uv.lock as part of dependency-update PRs so the lockfile stays in sync.

Suggested change
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:15"
timezone: "America/New_York"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "python"
commit-message:
prefix: "deps"
groups:
python-dependencies:
patterns:
- "*"

Copilot uses AI. Check for mistakes.
18 changes: 9 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ jobs:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand All @@ -37,10 +37,10 @@ jobs:
name: Type Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand All @@ -62,10 +62,10 @@ jobs:
python-version: ["3.12", "3.13", "3.14"]

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand Down Expand Up @@ -106,12 +106,12 @@ jobs:
runs-on: ubuntu-latest
needs: [lint, typecheck, test]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand All @@ -122,7 +122,7 @@ jobs:
run: uv build

- name: Upload build artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7.0.1
with:
name: dist
path: dist/
6 changes: 3 additions & 3 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ jobs:
name: Build & Deploy Docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand All @@ -36,7 +36,7 @@ jobs:
run: uv run mkdocs build --strict

- name: Deploy to website repo
uses: cpina/github-action-push-to-another-repository@v1.7.2
uses: cpina/github-action-push-to-another-repository@v1.7.3

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses a third-party action that can push to another repository using an SSH deploy key. For supply-chain hardening, consider pinning cpina/github-action-push-to-another-repository to a full commit SHA (and optionally using GitHub’s allow-listing/pinning guidance) rather than a mutable tag, to reduce the risk of upstream tag compromise.

Suggested change
uses: cpina/github-action-push-to-another-repository@v1.7.3
# Pin to the full commit SHA for the v1.7.3 release to avoid mutable tag risk.
uses: cpina/github-action-push-to-another-repository@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1.7.3>

Copilot uses AI. Check for mistakes.
env:
SSH_DEPLOY_KEY: ${{ secrets.DOCS_DEPLOY_KEY }}
with:
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ jobs:
name: Build Package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0

- name: Install uv
uses: astral-sh/setup-uv@v8
uses: astral-sh/setup-uv@v8.1.0
with:
version: "latest"

Expand All @@ -28,7 +28,7 @@ jobs:
run: uv build

- name: Upload build artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7.0.1
with:
name: dist
path: dist/
Expand All @@ -42,13 +42,13 @@ jobs:
id-token: write
steps:
- name: Download build artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8.0.1
with:
name: dist
path: dist/

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@v1.14.0

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For release publishing, consider pinning pypa/gh-action-pypi-publish to a full commit SHA instead of a version tag. This reduces the blast radius of a compromised/moved tag for a workflow that has permission to publish artifacts to PyPI.

Suggested change
uses: pypa/gh-action-pypi-publish@v1.14.0
uses: pypa/gh-action-pypi-publish@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1_14_0> # v1.14.0

Copilot uses AI. Check for mistakes.

github-release:
name: Create GitHub Release
Expand All @@ -57,7 +57,7 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2

- name: Create GitHub Release
env:
Expand Down
1 change: 1 addition & 0 deletions src/ml4t/engineer/config/data_contract.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,5 @@ def from_mapping(cls, mapping: Mapping[str, Any]) -> DataContractConfig:
"""Create contract from a generic mapping source."""
return cls(**dict(mapping))


__all__ = ["DataContractConfig"]