fix(ci): expand CI coverage to all notebook directories

Previously, CI workflows only monitored notebooks in the skills/ directory.
This caused PR anthropics#193 to merge without pedagogical review since its notebook
was in tool_evaluation/.

Changes:
- Update all notebook-related CI workflows to monitor **/*.ipynb
- Add SAST security monitoring workflow for code security analysis
- Update validate_notebooks.py to check all repository notebooks
- Fix notebook discovery in links.yml workflow

This ensures comprehensive CI coverage for all 9+ directories containing
notebooks (skills/, tool_evaluation/, misc/, tool_use/, third_party/, etc.)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: zealoushacker

.github/workflows/claude-model-check.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize]
     paths:
-      - 'skills/**/*.ipynb'
+      - '**/*.ipynb'
       - '**.py'
       - '**.md'
 

.github/workflows/claude-notebook-review.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize]
     paths:
-      - 'skills/**/*.ipynb'
+      - '**/*.ipynb'
       - 'pyproject.toml'
       - 'uv.lock'
       - 'scripts/**/*.py'

.github/workflows/links.yml

@@ -27,7 +27,7 @@ jobs:
           pip install jupyter nbconvert
           mkdir -p temp_md
           
-          for nb in skills/**/*.ipynb; do
+          for nb in $(find . -name "*.ipynb" -not -path "*/.*"); do
             echo "Converting: $nb"
             jupyter nbconvert --to markdown "$nb" \
               --output-dir=temp_md \

.github/workflows/notebook-quality.yml

@@ -3,13 +3,13 @@ name: Notebook Quality Check
 on:
   pull_request:
     paths:
-      - 'skills/**/*.ipynb'
+      - '**/*.ipynb'
       - 'pyproject.toml'
       - 'uv.lock'
   push:
     branches: [main]
     paths:
-      - 'skills/**/*.ipynb'
+      - '**/*.ipynb'
 
 permissions:
   contents: read
@@ -37,8 +37,8 @@ jobs:
       
       - name: Lint notebooks with Ruff
         run: |
-          uv run ruff check skills/**/*.ipynb --show-fixes || true
-          uv run ruff format skills/**/*.ipynb --check || true
+          uv run ruff check **/*.ipynb --show-fixes || true
+          uv run ruff format **/*.ipynb --check || true
       
       - name: Validate notebook structure
         run: |
@@ -54,9 +54,9 @@ jobs:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         run: |
           mkdir -p test_outputs
-          for notebook in skills/*/guide.ipynb; do
+          for notebook in $(find . -name "*.ipynb" -not -path "*/.*" -not -path "*/test_outputs/*"); do
             echo "📓 Testing: $notebook"
-            output_name=$(basename $(dirname "$notebook"))
+            output_name=$(echo "$notebook" | sed 's|/|_|g' | sed 's|\.|_|g')
             # Use nbconvert to execute notebooks and save outputs
             uv run jupyter nbconvert --to notebook \
               --execute "$notebook" \
@@ -75,8 +75,8 @@ jobs:
           github.event.pull_request.author_association != 'OWNER'
         run: |
           echo "🔒 Running in mock mode for external contributor"
-          
-          for notebook in skills/*/guide.ipynb; do
+
+          for notebook in $(find . -name "*.ipynb" -not -path "*/.*"); do
             echo "📓 Validating structure: $notebook"
             uv run python -m nbformat.validator "$notebook"
           done

.github/workflows/sast-monitor.yml

@@ -0,0 +1,27 @@
+name: SAST Security Monitor
+
+on:
+    pull_request:
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    security-scan:
+        runs-on: ubuntu-latest
+        continue-on-error: true # Never fail the build
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  ref: ${{ github.event.pull_request.head.sha || github.sha }}
+                  # fetch-depth: 2 is required to get the previous commit for diff analysis
+                  # The SAST tool needs git history to review changes between commits
+                  fetch-depth: 2
+
+            - uses: anthropics/sast@main
+              with:
+                  mode: monitor
+                  comment-pr: true
+                  upload-results: true
+                  claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

scripts/validate_notebooks.py

@@ -32,20 +32,30 @@ def validate_notebook(path: Path) -> list:
 def main():
     """Check all notebooks."""
     has_issues = False
-    
-    for notebook in Path('skills').glob('**/*.ipynb'):
+
+    # Find all notebooks in the repository
+    notebooks = list(Path('.').glob('**/*.ipynb'))
+    # Exclude hidden directories and common build directories
+    notebooks = [nb for nb in notebooks if not any(part.startswith('.') for part in nb.parts)]
+    notebooks = [nb for nb in notebooks if 'test_outputs' not in nb.parts]
+
+    if not notebooks:
+        print("⚠️ No notebooks found to validate")
+        sys.exit(0)
+
+    for notebook in notebooks:
         issues = validate_notebook(notebook)
         if issues:
             has_issues = True
             print(f"\n❌ {notebook}:")
             for issue in issues:
                 print(f"  - {issue}")
-    
+
     if not has_issues:
-        print("✅ All notebooks validated successfully")
+        print(f"✅ All {len(notebooks)} notebooks validated successfully")
     else:
         print("\n⚠️ Found issues that should be fixed in a separate PR")
-    
+
     # For POC, return 0 even with issues to show detection without blocking
     sys.exit(0)