feat: add automation pieces (#629)

Author: GangGreenTemperTatum

.github/workflows/rigging_pr_description.yaml

@@ -0,0 +1,54 @@
+---
+name: Update PR Description with Rigging
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  update-description:
+    name: Update PR Description with Rigging
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0 # full history for proper diffing
+
+      - name: Set up Python
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: "3.13"
+
+      - name: Install uv
+        run: |
+          python -m pip install --upgrade pip
+          pip install uv
+
+      - name: Generate PR Description
+        id: description
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        run: |
+          DESCRIPTION="$(uv run --no-project .hooks/generate_pr_description.py --base-ref "origin/${{ github.base_ref }}" --exclude "./*.lock")"
+          {
+            echo "description<<EOF"
+            echo "${DESCRIPTION}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Update PR Description
+        uses: nefrob/pr-description@4dcc9f3ad5ec06b2a197c5f8f93db5e69d2fdca7 # v1.2.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          content: |
+
+            ---
+
+            ## Generated Summary:
+
+            ${{ steps.description.outputs.description }}
+
+            This summary was generated with ❤️ by [rigging](https://rigging.dreadnode.io/)

.hooks/check_pinned_hash_dependencies.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python
+import re
+import sys
+from pathlib import Path
+from typing import List, Tuple
+
+
+class GitHubActionChecker:
+    def __init__(self):
+        # Pattern for actions with SHA-1 hashes (pinned)
+        self.pinned_pattern = re.compile(r"uses:\s+([^@\s]+)@([a-f0-9]{40})")
+
+        # Pattern for actions with version tags (unpinned)
+        self.unpinned_pattern = re.compile(
+            r"uses:\s+([^@\s]+)@(v\d+(?:\.\d+)*(?:-[a-zA-Z0-9]+(?:\.\d+)*)?)"
+        )
+
+        # Pattern for all uses statements
+        self.all_uses_pattern = re.compile(r"uses:\s+([^@\s]+)@([^\s\n]+)")
+
+    def format_terminal_link(self, file_path: str, line_number: int) -> str:
+        """Format a terminal link to a file and line number.
+
+        Args:
+            file_path: Path to the file
+            line_number: Line number in the file
+
+        Returns:
+            str: Formatted string with file path and line number
+        """
+        return f"{file_path}:{line_number}"
+
+    def get_line_numbers(self, content: str, pattern: re.Pattern) -> List[Tuple[str, int]]:
+        """Find matches with their line numbers."""
+        matches = []
+        for i, line in enumerate(content.splitlines(), 1):
+            for match in pattern.finditer(line):
+                matches.append((match.group(0), i))
+        return matches
+
+    def check_file(self, file_path: str) -> bool:
+        """Check a single file for unpinned dependencies."""
+        try:
+            content = Path(file_path).read_text()
+        except Exception as e:
+            print(f"\033[91mError reading file {file_path}: {e}\033[0m")
+            return False
+
+        # Get matches with line numbers
+        pinned_matches = self.get_line_numbers(content, self.pinned_pattern)
+        unpinned_matches = self.get_line_numbers(content, self.unpinned_pattern)
+        all_matches = self.get_line_numbers(content, self.all_uses_pattern)
+
+        print(f"\n\033[1m[=] Checking file: {file_path}\033[0m")
+
+        # Print pinned dependencies
+        if pinned_matches:
+            print("\033[92m[+] Pinned:\033[0m")
+            for match, line_num in pinned_matches:
+                print(f" |- {match} \033[90m({file_path}:{line_num})\033[0m")
+
+        # Track all found actions for validation
+        found_actions = set()
+        for match, _ in pinned_matches + unpinned_matches:
+            action_name = self.pinned_pattern.match(match) or self.unpinned_pattern.match(match)
+            if action_name:
+                found_actions.add(action_name.group(1))
+
+        has_errors = False
+
+        # Check for unpinned dependencies
+        if unpinned_matches:
+            has_errors = True
+            print("\033[93m[!] Unpinned (using version tags):\033[0m")
+            for match, line_num in unpinned_matches:
+                print(f" |- {match} \033[90m({file_path}:{line_num})\033[0m")
+
+        # Check for completely unpinned dependencies (no SHA or version)
+        unpinned_without_hash = [
+            (match, line_num)
+            for match, line_num in all_matches
+            if not any(match in pinned[0] for pinned in pinned_matches)
+            and not any(match in unpinned[0] for unpinned in unpinned_matches)
+        ]
+
+        if unpinned_without_hash:
+            has_errors = True
+            print("\033[91m[!] Completely unpinned (no SHA or version):\033[0m")
+            for match, line_num in unpinned_without_hash:
+                print(
+                    f" |- {match} \033[90m({self.format_terminal_link(file_path, line_num)})\033[0m"
+                )
+
+        # Print summary
+        total_actions = len(pinned_matches) + len(unpinned_matches) + len(unpinned_without_hash)
+        if total_actions == 0:
+            print("\033[93m[!] No GitHub Actions found in this file\033[0m")
+        else:
+            print("\n\033[1mSummary:\033[0m")
+            print(f"Total actions: {total_actions}")
+            print(f"Pinned: {len(pinned_matches)}")
+            print(f"Unpinned with version: {len(unpinned_matches)}")
+            print(f"Completely unpinned: {len(unpinned_without_hash)}")
+
+        return not has_errors
+
+
+def main():
+    checker = GitHubActionChecker()
+    files_to_check = sys.argv[1:]
+
+    if not files_to_check:
+        print("\033[91mError: No files provided to check\033[0m")
+        print("Usage: python script.py <file1> <file2> ...")
+        sys.exit(1)
+
+    results = {file: checker.check_file(file) for file in files_to_check}
+
+    # Print final summary
+    print("\n\033[1mFinal Results:\033[0m")
+    for file, passed in results.items():
+        status = "\033[92m✓ Passed\033[0m" if passed else "\033[91m✗ Failed\033[0m"
+        print(f"{status} {file}")
+
+    if not all(results.values()):
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

.hooks/generate_pr_description.py

@@ -0,0 +1,119 @@
+#!/usr/bin/env python
+# /// script
+# requires-python = ">=3.10"
+# dependencies = [
+#     "rigging",
+#     "typer",
+# ]
+# ///
+import asyncio
+import os
+import typing as t
+
+import rigging as rg
+import typer
+
+TRUNCATION_WARNING = (
+    "\n---\n**Note**: Due to the large size of this diff, some content has been truncated."
+)
+
+
+@rg.prompt
+def generate_pr_description(diff: str) -> t.Annotated[str, rg.Ctx("markdown")]:  # type: ignore[empty-body]
+    """
+    Analyze the provided git diff and create a PR description in markdown format.
+    <guidance>
+    - Keep the summary concise and informative.
+    - Use bullet points to structure important statements.
+    - Focus on key modifications and potential impact - if any.
+    - Do not add in general advice or best-practice information.
+    - Write like a developer who authored the changes.
+    - Prefer flat bullet lists over nested.
+    - Do not include any title structure.
+    - If there are no changes, just provide "No relevant changes."
+    - Order your bullet points by importance.
+    </guidance>
+    """
+
+
+async def _run_git_command(args: list[str]) -> str:
+    """
+    Safely run a git command with validated input.
+    """
+    # Validate git exists in PATH
+    git_path = "git"  # Could use shutil.which("git") for more security
+    if not any(
+        os.path.isfile(os.path.join(path, "git")) for path in os.environ["PATH"].split(os.pathsep)
+    ):
+        raise ValueError("Git executable not found in PATH")
+
+    # Validate input parameters
+    if not all(isinstance(arg, str) for arg in args):
+        raise ValueError("All command arguments must be strings")
+
+    # Use os.execv for more secure command execution
+    try:
+        # nosec B603 - Input is validated
+        proc = await asyncio.create_subprocess_exec(
+            git_path,
+            *args,
+            stdout=asyncio.subprocess.PIPE,
+            stderr=asyncio.subprocess.PIPE,
+        )
+        stdout, stderr = await proc.communicate()
+
+        if proc.returncode != 0:
+            raise RuntimeError(f"Git command failed: {stderr.decode()}")
+
+        return stdout.decode().strip()
+    except Exception as e:
+        raise RuntimeError(f"Failed to execute git command: {e}")
+
+
+async def get_diff(base_ref: str, source_ref: str, *, exclude: list[str] | None = None) -> str:
+    """
+    Get the git diff between two branches.
+    """
+    # Validate refs
+    for ref in (base_ref, source_ref):
+        if not isinstance(ref, str) or not ref.strip():
+            raise ValueError("Invalid git reference")
+
+    # Get merge base
+    merge_base = await _run_git_command(["merge-base", source_ref, base_ref])
+
+    # Prepare diff command
+    diff_command = ["diff", "--no-color", merge_base, source_ref]
+    if exclude:
+        validated_excludes = []
+        for path in exclude:
+            # Validate path
+            if not isinstance(path, str) or ".." in path:
+                raise ValueError(f"Invalid exclude path: {path}")
+            validated_excludes.append(f":(exclude){path}")
+        diff_command.extend(["--", ".", *validated_excludes])
+
+    # Get diff
+    return await _run_git_command(diff_command)
+
+
+def main(
+    base_ref: str = "origin/main",
+    source_ref: str = "HEAD",
+    generator_id: str = "openai/gpt-4o-mini",
+    max_diff_lines: int = 1000,
+    exclude: list[str] | None = None,
+) -> None:
+    """
+    Use rigging to generate a PR description from a git diff.
+    """
+    diff = asyncio.run(get_diff(base_ref, source_ref, exclude=exclude))
+    diff_lines = diff.split("\n")
+    if len(diff_lines) > max_diff_lines:
+        diff = "\n".join(diff_lines[:max_diff_lines]) + TRUNCATION_WARNING
+    description = asyncio.run(generate_pr_description.bind(generator_id)(diff))
+    print(description)
+
+
+if __name__ == "__main__":
+    typer.run(main)

.hooks/linters/mdstyle.rb

@@ -0,0 +1,55 @@
+################################################################################
+# Style file for markdownlint.
+#
+# https://github.com/markdownlint/markdownlint/blob/master/docs/configuration.md
+#
+# This file is referenced by the project `.mdlrc`.
+################################################################################
+
+#===============================================================================
+# Start with all built-in rules.
+# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md
+all
+
+#===============================================================================
+# Override default parameters for some built-in rules.
+# https://github.com/markdownlint/markdownlint/blob/master/docs/creating_styles.md#parameters
+
+# Ignore line length for specific files
+rule 'MD013',
+  ignore_code_blocks: true,
+  files: ['CHANGELOG.md', 'RENOVATE_TESTING.md'],
+  line_length: 99999  # Very high number to effectively disable for specified files
+
+# Allow duplicate headers in changelog files
+rule 'MD024',
+  allow_different_nesting: true,
+  files: ['CHANGELOG.md']
+
+#===============================================================================
+# Exclude the rules I disagree with.
+
+# IMHO it's easier to read lists like:
+# * outmost indent
+#   - one indent
+#   - second indent
+# * Another major bullet
+exclude_rule 'MD004'
+
+# Inconsistent indentation for list items is not a problem.
+exclude_rule 'MD005'
+
+# Ordered lists are fine.
+exclude_rule 'MD029'
+
+# The first line doesn't always need to be a top level header.
+exclude_rule 'MD041'
+
+# I find it necessary to use '<br/>' to force line breaks.
+exclude_rule 'MD033' # Inline HTML
+
+# Using bare URLs is fine.
+exclude_rule 'MD034'
+
+# Allow emphasis to be used as headings (e.g., **Section Title**)
+exclude_rule 'MD036'

.hooks/linters/yamllint.yaml

@@ -0,0 +1,12 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 400
+    level: warning
+  truthy: false
+  comments:
+    min-spaces-from-content: 1
+  braces: disable
+  indentation: disable