Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bumps the repository’s Rhiza template reference to v0.11.0 and syncs template-managed files, updating CI/security tooling, documentation configuration, and adding new Rhiza utility scripts/tests.
Changes:
- Updated Rhiza template/version pins and synced template-managed files (Makefiles, workflows, docs config).
- Added/updated security and quality tooling (Semgrep rules, pip-audit policy wrapper, suppression audit, pre-commit hooks).
- Adjusted docs/book build pipeline (MkDocs base config + book build targets).
Reviewed changes
Copilot reviewed 46 out of 49 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Repo-owned Makefile updated, but currently contains unresolved merge-conflict markers. |
| docs/mkdocs-base.yml | Updated MkDocs Material base config (theme features, markdown extensions, mkdocstrings plugin). |
| docs/development/TESTS.md | Updated docs to recommend uv run pytest ... instead of direct pytest. |
| docs/development/MARIMO.md | Updated Marimo docs, but currently contains unresolved merge-conflict markers. |
| docs/adr/0000-adr-template.md | Removed ADR template file. |
| .rhiza/utils/suppression_audit.py | Added suppression-audit utility script. |
| .rhiza/utils/pip_audit_policy.py | Added pip-audit wrapper enforcing tiered failure policy. |
| .rhiza/tests/utils/test_git_repo_fixture.py | Added Bandit suppression comments to subprocess usage in tests. |
| .rhiza/tests/sync/test_sync_schedule.py | Added tests for RHIZA sync schedule override behavior. |
| .rhiza/tests/sync/test_rhiza_version.py | Added Bandit suppression comments to subprocess usage in tests. |
| .rhiza/tests/sync/test_readme_validation.py | Added Bandit suppression comment to subprocess import. |
| .rhiza/tests/structure/test_template_bundles.py | Expanded bundle/profile validation test coverage. |
| .rhiza/tests/stress/test_makefile_stress.py | Added Bandit suppression comment to subprocess import. |
| .rhiza/tests/stress/test_git_stress.py | Added Bandit suppression comment to subprocess import. |
| .rhiza/tests/security/test_security_patterns.py | Added github-bundle gating + new checks for pre-commit cache hook and .bandit presence. |
| .rhiza/tests/integration/test_sbom.py | Updated Bandit suppressions for subprocess usage. |
| .rhiza/tests/integration/test_docs_targets.py | Removed assertions tied to old mkdocs command splicing behavior. |
| .rhiza/tests/integration/test_book_targets.py | Updated expected phony targets (removed mkdocs-build). |
| .rhiza/tests/api/test_weekly_workflow.py | Added workflow validation tests for rhiza_weekly.yml (workflow file removed in this PR). |
| .rhiza/tests/api/test_release_workflow.py | Added workflow validation tests for rhiza_release.yml. |
| .rhiza/tests/api/test_makefile_targets.py | Removed coverage-badge dry-run tests; retained suppression-audit dry-run tests. |
| .rhiza/tests/api/test_ci_workflow.py | Added workflow validation tests for rhiza_ci.yml (workflow file removed in this PR). |
| .rhiza/template.yml | Bumped template branch reference to v0.11.0. |
| .rhiza/template.lock | Updated template lock SHA/ref and refreshed managed file list. |
| .rhiza/semgrep.yml | Added Semgrep rules (numpy/security/best-practice checks). |
| .rhiza/rhiza.mk | Added RHIZA_SYNC_SCHEDULE + ci-os-matrix and sync schedule patching, but currently contains unresolved merge-conflict markers. |
| .rhiza/requirements/docs.txt | Switched docs requirements (removed mkdocs-related deps, added mike/zensical). |
| .rhiza/make.d/test.mk | Updated security target to use pip-audit policy wrapper and .bandit ini; removed coverage-badge target. |
| .rhiza/make.d/quality.mk | Added semgrep target and phony entry. |
| .rhiza/make.d/book.mk | Reworked book build/serve targets to use zensical + simple HTTP server and changed report/notebook export behavior. |
| .rhiza/.rhiza-version | Bumped internal Rhiza version to 0.14.1. |
| .rhiza/.env | Updated env defaults, but currently contains unresolved merge-conflict markers. |
| .pre-commit-config.yaml | Added local hook preventing Python cache files; bumped tool revisions; added interrogate hook; updated bandit config to .bandit. |
| .gitignore | Stopped ignoring docs/notebooks.md. |
| .github/workflows/rhiza_weekly.yml | Removed weekly workflow. |
| .github/workflows/rhiza_sync.yml | Bumped astral-sh/setup-uv action version. |
| .github/workflows/rhiza_release.yml | Updated uv/setup versions; added job to generate+commit CHANGELOG.md; bumped docker login action. |
| .github/workflows/rhiza_marimo.yml | Removed Marimo workflow. |
| .github/workflows/rhiza_codeql.yml | Removed Rhiza CodeQL workflow. |
| .github/workflows/rhiza_ci.yml | Removed Rhiza CI workflow. |
| .github/workflows/rhiza_book.yml | Removed Rhiza book workflow. |
| .github/workflows/copilot-setup-steps.yml | Removed Copilot agent setup workflow. |
| .github/hooks/session-start.sh | Removed Copilot hook script. |
| .github/hooks/session-end.sh | Removed Copilot hook script. |
| .github/hooks/hooks.json | Removed Copilot hooks configuration. |
| .github/copilot-instructions.md | Removed Copilot instructions document. |
| .github/agents/summarise.md | Removed agent definition. |
| .github/agents/analyser.md | Removed agent definition. |
| .bandit | Added Bandit INI configuration. |
Comment on lines
+3
to
+7
| <<<<<<< ours | ||
| ======= | ||
|
|
||
| DEFAULT_AI_MODEL=claude-sonnet-4.6 | ||
| >>>>>>> upstream |
Comment on lines
+16
to
+23
| <<<<<<< ours | ||
| # Wire typecheck into make validate | ||
| post-validate:: | ||
| @$(MAKE) typecheck | ||
| ======= | ||
| # Optional: developer-local extensions (not committed) | ||
| -include local.mk | ||
| >>>>>>> upstream |
Comment on lines
+1
to
+8
| <<<<<<< ours | ||
| MARIMO_FOLDER=book/marimo/notebooks | ||
| SOURCE_FOLDER=src/cvx | ||
| ======= | ||
| MARIMO_FOLDER=docs/notebooks | ||
| SOURCE_FOLDER=src | ||
| RHIZA_CI_OS_MATRIX=["ubuntu-latest","macos-latest","windows-latest"] | ||
| >>>>>>> upstream |
Comment on lines
+5
to
+27
| @@ -12,6 +13,18 @@ Notebooks live in `book/marimo/notebooks/` (configured via `MARIMO_FOLDER` in `. | |||
| | `monkey.py` | Random monkey portfolio | | |||
| | `OneAssetFadingOut.py` | Single asset fade-out analysis | | |||
| | `pairs.py` | Pairs trading simulation | | |||
| ======= | |||
| Marimo notebooks support a wide range of features, including: | |||
|
|
|||
| - **Interactive UI Elements**: Sliders, dropdowns, text inputs, checkboxes, and multiselect | |||
| - **Reactive Programming**: Automatic cell updates when dependencies change | |||
| - **Data Visualisation**: Interactive plots using Plotly | |||
| - **DataFrames**: Working with Pandas data | |||
| - **Layout Components**: Columns, tabs, and accordions for organised content | |||
| - **Forms**: Dictionary-based forms for collecting user input | |||
| - **Rich Text**: Markdown and LaTeX support for documentation | |||
| - **Advanced Features**: Callouts, collapsible accordions, and more | |||
| >>>>>>> upstream | |||
Comment on lines
+53
to
+70
| ```bash | ||
| <<<<<<< ours | ||
| marimo edit book/marimo/notebooks/monkey.py | ||
| ======= | ||
| marimo edit docs/notebooks/my_notebook.py | ||
| >>>>>>> upstream | ||
| ``` | ||
|
|
||
| ### Using uv (Recommended) | ||
|
|
||
| The notebooks include inline dependency metadata, making them self-contained: | ||
|
|
||
| ```bash | ||
| <<<<<<< ours | ||
| uv run book/marimo/notebooks/monkey.py | ||
| ======= | ||
| uv run docs/notebooks/my_notebook.py | ||
| >>>>>>> upstream |
Comment on lines
+174
to
+180
| <<<<<<< ours | ||
|
|
||
| # Optional: local overrides (not committed, gitignored) | ||
| -include local.mk | ||
|
|
||
| ======= | ||
| >>>>>>> upstream |
Comment on lines
20
to
41
| _book-reports: test benchmark stress hypothesis-test | ||
| @mkdir -p docs/reports | ||
| @for src_dir in \ | ||
| "_tests/html-coverage:reports/coverage" \ | ||
| "_tests/html-report:reports/test-report" \ | ||
| "_tests/benchmarks:reports/benchmarks" \ | ||
| "_tests/stress:reports/stress" \ | ||
| "_tests/hypothesis:reports/hypothesis"; do \ | ||
| src=$${src_dir%%:*}; dest=docs/$${src_dir#*:}; \ | ||
| if [ -d "$$src" ] && [ -n "$$(ls -A "$$src" 2>/dev/null)" ]; then \ | ||
| printf "${BLUE}[INFO] Copying $$src -> $$dest${RESET}\n"; \ | ||
| mkdir -p "$$dest"; cp -r "$$src/." "$$dest/"; \ | ||
| else \ | ||
| printf "${YELLOW}[WARN] $$src not found, skipping${RESET}\n"; \ | ||
| fi; \ | ||
| done | ||
| @printf "# Reports\n\n" > docs/reports.md | ||
| @[ -f "docs/reports/test-report/report.html" ] && echo "- [Test Report](reports/test-report/report.html)" >> docs/reports.md || true | ||
| @[ -f "docs/reports/hypothesis/report.html" ] && echo "- [Hypothesis Report](reports/hypothesis/report.html)" >> docs/reports.md || true | ||
| @[ -f "docs/reports/benchmarks/report.html" ] && echo "- [Benchmarks](reports/benchmarks/report.html)" >> docs/reports.md || true | ||
| @[ -f "docs/reports/stress/report.html" ] && echo "- [Stress Report](reports/stress/report.html)" >> docs/reports.md || true | ||
| @[ -f "docs/reports/coverage/index.html" ] && echo "- [Coverage Report](reports/coverage/index.html)" >> docs/reports.md || true | ||
| @if [ -d "${ROOT}/_tests" ] && [ -n "$$(ls -A "${ROOT}/_tests" 2>/dev/null)" ]; then \ | ||
| printf "${BLUE}[INFO] Copying ${ROOT}/_tests -> docs/reports${RESET}\n"; \ | ||
| mkdir -p ${ROOT}/docs/reports; cp -r "${ROOT}/_tests/." "${ROOT}/docs/reports/"; \ | ||
| else \ | ||
| printf "${YELLOW}[WARN] ${ROOT}/_tests not found or empty, skipping${RESET}\n"; \ | ||
| fi | ||
|
|
||
| # Export each Marimo notebook to a self-contained HTML file under docs/notebooks/. | ||
| # Skipped silently when MARIMO_FOLDER is not set or does not exist. | ||
| _book-notebooks: | ||
| @if [ -d "$(MARIMO_FOLDER)" ]; then \ | ||
| printf "${BLUE}[INFO] Exporting Marimo notebooks from $(MARIMO_FOLDER)${RESET}\n"; \ | ||
| for nb in $(MARIMO_FOLDER)/*.py; do \ | ||
| name=$$(basename "$$nb" .py); \ | ||
| printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \ | ||
| abs_output="$$(pwd)/docs/notebooks/$$name.html"; \ | ||
| mkdir -p docs/notebooks; \ | ||
| printf "${BLUE}[INFO] Exporting $$nb -> ${ROOT}/docs/notebooks/$$name.html${RESET}\n"; \ | ||
| abs_output="${ROOT}/docs/notebooks/$$name.html"; \ | ||
| (cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \ | ||
| done; \ | ||
| printf "# Marimo Notebooks\n\n" > docs/notebooks.md; \ | ||
| for html in docs/notebooks/*.html; do \ | ||
| name=$$(basename "$$html" .html); \ | ||
| echo "- [$$name]($$name.html)" >> docs/notebooks.md; \ | ||
| done; \ | ||
| fi | ||
|
|
||
| book:: _book-reports _book-notebooks ## compile the companion book via MkDocs | ||
| @if [ -n "$(_MKDOCS_CFG)" ]; then \ | ||
| rm -rf "$(BOOK_OUTPUT)"; \ | ||
| ${UVX_BIN} --with "mkdocs-material<10.0" --with "pymdown-extensions>=10.0" --with "mkdocs<2.0" $(MKDOCS_EXTRA_PACKAGES) mkdocs build \ | ||
| -f "$(_MKDOCS_CFG)" \ | ||
| -d "$$(pwd)/$(BOOK_OUTPUT)"; \ | ||
| else \ | ||
| printf "${YELLOW}[WARN] No mkdocs config found, skipping MkDocs build${RESET}\n"; \ | ||
| printf "${YELLOW}[WARN] MARIMO_FOLDER not set or missing, skipping notebook export${RESET}\n"; \ | ||
| fi |
| # refuses to serve gitignored directories like _book) is not needed. | ||
| serve: book ## build and serve the book at http://localhost:8000 | ||
| @printf "${BLUE}[INFO] Serving book at http://localhost:8000 (Ctrl-C to stop)${RESET}\n" | ||
| @cd $(BOOK_OUTPUT) && python3 -m http.server 8000 |
| """Load and parse the CI workflow YAML file.""" | ||
| workflow_file = root / WORKFLOW_PATH | ||
| if not workflow_file.exists(): | ||
| pytest.fail(f"Workflow file not found: {workflow_file}") |
Comment on lines
+19
to
+34
| WORKFLOW_PATH = Path(".github") / "workflows" / "rhiza_weekly.yml" | ||
| EXPECTED_JOBS = {"dep-compat-test", "semgrep", "pip-audit", "link-check"} | ||
|
|
||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Helpers | ||
| # --------------------------------------------------------------------------- | ||
|
|
||
|
|
||
| def _load_workflow(root: Path) -> dict: | ||
| """Load and parse the weekly workflow YAML file.""" | ||
| workflow_file = root / WORKFLOW_PATH | ||
| if not workflow_file.exists(): | ||
| pytest.fail(f"Workflow file not found: {workflow_file}") | ||
| with open(workflow_file) as fh: | ||
| return yaml.safe_load(fh) |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
make sync🤖 Generated with Claude Code