chore: Docs and Repo updates (#133)

* API docs generation. Pre-commit hooks.

* Finalizing docs updates

* Spelling fix

* Some workflow updates

* type fix

Author: monoxgas

.github/CODE_OF_CONDUCT.md

@@ -16,7 +16,7 @@ include:
 
 - Using welcoming and inclusive language
 - Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
+- gracefully accepting constructive criticism
 - Focusing on what is best for the community
 - Showing empathy towards other community members
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,5 @@
 ## Notes
 
-- 
+-
 
----
+---

.github/workflows/ci.yml

@@ -1,10 +1,11 @@
+---
 name: Lint, Typecheck, and Test
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
   ci:
@@ -19,11 +20,6 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
 
-    - name: Setup Python ${{ matrix.python-version }}
-      uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
-      with:
-        python-version: ${{ matrix.python-version }}
-
     - name: Install Poetry
       uses: abatilo/actions-poetry@b8f6fe29ba2eb78e0d45ccbf41cd14154c4e25b2
 
@@ -32,13 +28,11 @@ jobs:
         poetry config virtualenvs.create true --local
         poetry config virtualenvs.in-project true --local
 
-    - name: Cache dependencies
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    - name: Setup Python ${{ matrix.python-version }}
+      uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
       with:
-        path: ./.venv
-        key: venv-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('poetry.lock') }}
-        restore-keys: |
-          venv-${{ runner.os }}-py${{ matrix.python-version }}-
+        python-version: ${{ matrix.python-version }}
+        cache: "poetry"
 
     - name: Install package
       run: poetry install --all-extras
@@ -50,4 +44,4 @@ jobs:
       run: poetry run mypy rigging
 
     - name: Test
-      run: poetry run pytest
+      run: poetry run pytest

.github/workflows/docs-update.yaml

@@ -0,0 +1,41 @@
+---
+name: Notify Documentation Update
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - ".hooks/generate_docs.py"
+      - ".github/workflows/docs-update.yaml"
+  workflow_dispatch:
+
+jobs:
+  notify-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ vars.UPDATE_DOCS_APP_ID }}
+          private-key: ${{ secrets.UPDATE_DOCS_PRIVATE_KEY }}
+          owner: "${{ github.repository_owner }}"
+          repositories: |
+            sdk
+            prod-docs
+
+      - name: Trigger docs repository workflow
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          repository: dreadnode/prod-docs
+          event-type: code-update
+          client-payload: |
+            {
+              "repository": "${{ github.repository }}",
+              "ref": "${{ github.ref }}",
+              "sha": "${{ github.sha }}",
+              "source_dir": "docs",
+              "target_dir": "open-source/rigging",
+              "nav_target": "Open Source/Rigging"
+            }

.github/workflows/publish.yml

@@ -1,3 +1,4 @@
+---
 name: Build and Publish
 
 on:
@@ -46,4 +47,4 @@ jobs:
         run: poetry build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@e9ccbe5a211ba3e8363f472cae362b56b104e796
+        uses: pypa/gh-action-pypi-publish@e9ccbe5a211ba3e8363f472cae362b56b104e796

.github/workflows/rigging_pr_description.yml

@@ -1,3 +1,4 @@
+---
 name: Update PR Description with Rigging
 
 on:
@@ -31,22 +32,23 @@ jobs:
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
         run: |
-          DESCRIPTION=$(uv run --no-project .github/scripts/generate_pr_description.py --base-ref origin/${{ github.base_ref }} --exclude *.lock)
-          echo "description<<EOF" >> $GITHUB_OUTPUT
-          echo "$DESCRIPTION" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          DESCRIPTION="$(uv run --no-project .hooks/generate_pr_description.py --base-ref "origin/${{ github.base_ref }}" --exclude "./*.lock")"
+          {
+            echo "description<<EOF"
+            echo "${DESCRIPTION}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Update PR Description
         uses: nefrob/pr-description@4dcc9f3ad5ec06b2a197c5f8f93db5e69d2fdca7 # v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           content: |
-            
+
             ---
-            
+
             ## Generated Summary
 
             ${{ steps.description.outputs.description }}
 
             This summary was generated with ❤️ by [rigging](https://docs.dreadnode.io/rigging/)
-          

.github/workflows/semantic-prs.yaml

@@ -0,0 +1,23 @@
+---
+name: "Semantic Lints PR"
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semgrep.yaml

@@ -0,0 +1,62 @@
+---
+name: Semgrep Analysis
+on:
+  merge_group:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
+      - reopened
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * *" # Run daily at midnight UTC
+
+concurrency:
+  group: pre-commit-${{ github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  pull-requests: write # Allows merge queue updates
+  security-events: write # Required for GitHub Security tab
+
+jobs:
+  semgrep:
+    name: Semgrep Analysis
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Set up git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git Safe Directory
+        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Semgrep Analysis
+        env:
+          SEMGREP_RULES: >-
+            p/python
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+            p/supply-chain
+          SEMGREP_TIMEOUT: 300 # 5-minute timeout per rule
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          semgrep ci \
+            --config="${SEMGREP_RULES}" \
+            --timeout="${SEMGREP_TIMEOUT}" \
+            --sarif --output=semgrep-results.sarif

.github/workflows/template-sync.yaml

@@ -0,0 +1,77 @@
+---
+name: Template Sync
+on:
+  # checkov:skip=CKV_GHA_7: "Workflow dispatch inputs are required for manual debugging and configuration"
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: Dry Run
+        default: "false"
+        required: false
+      logLevel:
+        description: Log Level
+        default: "debug"
+        required: false
+
+  schedule:
+    # Run on the 1st of every month at 00:00 UTC
+    - cron: "0 0 1 * *"
+
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/**"
+      - ".hooks/**"
+      - ".pre-commit-config.yaml"
+      - ".mdlrc"
+      - ".editorconfig"
+      - "Taskfile.yaml"
+      - ".task/**"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.run_number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  template-sync:
+    name: Template Sync
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          owner: "${{ github.repository_owner }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Template Sync
+        uses: AndreasAugustin/actions-template-sync@v2
+        with:
+          source_gh_token: ${{ steps.app-token.outputs.token }}
+          git_user_name: github-actions[bot]
+          git_user_email: github-actions[bot]@users.noreply.github.com
+          pr_title: "chore: sync infrastructure files with template"
+          pr_labels: sync,template
+          pr_body: |
+            🤖 A new version of the python template files is available.
+
+            This PR was automatically created to sync the following:
+            - GitHub Actions workflows
+            - Pre-commit hooks and configs
+            - Task definitions
+            - Editor configs and linter rules
+
+            Please review the changes carefully before merging.
+          source_repo_path: dreadnode/python-template
+          steps: "prechecks,pull,commit,push,pr"
+          upstream_branch: main

.gitignore

@@ -167,4 +167,4 @@ cython_debug/
 
 # macos
 .DS_Store
-.AppleDouble
+.AppleDouble