Some workflow updates

Author: monoxgas

.github/workflows/ci.yml

@@ -20,11 +20,6 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
 
-    - name: Setup Python ${{ matrix.python-version }}
-      uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
-      with:
-        python-version: ${{ matrix.python-version }}
-
     - name: Install Poetry
       uses: abatilo/actions-poetry@b8f6fe29ba2eb78e0d45ccbf41cd14154c4e25b2
 
@@ -33,13 +28,11 @@ jobs:
         poetry config virtualenvs.create true --local
         poetry config virtualenvs.in-project true --local
 
-    - name: Cache dependencies
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    - name: Setup Python ${{ matrix.python-version }}
+      uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
       with:
-        path: ./.venv
-        key: venv-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('poetry.lock') }}
-        restore-keys: |
-          venv-${{ runner.os }}-py${{ matrix.python-version }}-
+        python-version: ${{ matrix.python-version }}
+        cache: "poetry"
 
     - name: Install package
       run: poetry install --all-extras

.github/workflows/semantic-prs.yaml

@@ -0,0 +1,23 @@
+---
+name: "Semantic Lints PR"
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semgrep.yaml

@@ -0,0 +1,62 @@
+---
+name: Semgrep Analysis
+on:
+  merge_group:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
+      - reopened
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * *" # Run daily at midnight UTC
+
+concurrency:
+  group: pre-commit-${{ github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  pull-requests: write # Allows merge queue updates
+  security-events: write # Required for GitHub Security tab
+
+jobs:
+  semgrep:
+    name: Semgrep Analysis
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Set up git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git Safe Directory
+        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Semgrep Analysis
+        env:
+          SEMGREP_RULES: >-
+            p/python
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+            p/supply-chain
+          SEMGREP_TIMEOUT: 300 # 5-minute timeout per rule
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          semgrep ci \
+            --config="${SEMGREP_RULES}" \
+            --timeout="${SEMGREP_TIMEOUT}" \
+            --sarif --output=semgrep-results.sarif

.github/workflows/template-sync.yaml

@@ -0,0 +1,77 @@
+---
+name: Template Sync
+on:
+  # checkov:skip=CKV_GHA_7: "Workflow dispatch inputs are required for manual debugging and configuration"
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: Dry Run
+        default: "false"
+        required: false
+      logLevel:
+        description: Log Level
+        default: "debug"
+        required: false
+
+  schedule:
+    # Run on the 1st of every month at 00:00 UTC
+    - cron: "0 0 1 * *"
+
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/**"
+      - ".hooks/**"
+      - ".pre-commit-config.yaml"
+      - ".mdlrc"
+      - ".editorconfig"
+      - "Taskfile.yaml"
+      - ".task/**"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.run_number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  template-sync:
+    name: Template Sync
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          owner: "${{ github.repository_owner }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Template Sync
+        uses: AndreasAugustin/actions-template-sync@v2
+        with:
+          source_gh_token: ${{ steps.app-token.outputs.token }}
+          git_user_name: github-actions[bot]
+          git_user_email: github-actions[bot]@users.noreply.github.com
+          pr_title: "chore: sync infrastructure files with template"
+          pr_labels: sync,template
+          pr_body: |
+            🤖 A new version of the python template files is available.
+
+            This PR was automatically created to sync the following:
+            - GitHub Actions workflows
+            - Pre-commit hooks and configs
+            - Task definitions
+            - Editor configs and linter rules
+
+            Please review the changes carefully before merging.
+          source_repo_path: dreadnode/python-template
+          steps: "prechecks,pull,commit,push,pr"
+          upstream_branch: main

…ithub/scripts/generate_pr_description.py .hooks/generate_pr_description.py.github/scripts/generate_pr_description.py renamed to .hooks/generate_pr_description.py .github/scripts/generate_pr_description.py renamed to .hooks/generate_pr_description.py

@@ -66,7 +66,7 @@ def main(
     base_ref: str = "origin/main",
     source_ref: str = "HEAD",
     generator_id: str = "openai/gpt-4o-mini",
-    max_diff_lines: int = 1000,
+    max_diff_lines: int = 10_000,
     exclude: list[str] | None = None,
 ) -> None:
     """