Skip to content

Add stricter configuration defaults #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dguido wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add stricter configuration defaults #157

dguido wants to merge 4 commits into from

Conversation

@dguido
Copy link
Member

@dguido dguido commented Jan 26, 2026

Summary

  • Bump minimum Python version to 3.11 (removes 3.10 from CI matrix)
  • Add security pre-commit hooks: shellcheck, actionlint, zizmor
  • Stricter ruff config: src path for first-party imports, docstring-code-format
  • Stricter coverage: branch coverage enabled, standard exclude patterns
  • Add pip-audit dependency group for vulnerability scanning

Test plan

  • Generated CLI project passes make lint && make test
  • Generated library project passes make lint && make test
  • Pre-commit hooks run successfully (actionlint, zizmor verified)
  • Branch coverage appears in test output
  • uv run pip-audit runs successfully

🤖 Generated with Claude Code

@dguido @claude
Add stricter configuration defaults
23ece6f 
- Bump minimum Python to 3.11, remove 3.10 from CI matrix
- Add security pre-commit hooks: shellcheck, actionlint, zizmor
- Add ruff src path and docstring-code-format settings
- Enable branch coverage with standard exclude patterns
- Add pip-audit dependency group for vulnerability scanning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ninja3047
Ninja3047 reviewed Jan 26, 2026
View reviewed changes
{{cookiecutter.project_slug}}/.pre-commit-config.yaml Outdated

# Shell script linting
- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.11.0
Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there should be a plan for keeping these up to date
dependabot doesn't appear to support keeping these up to date AFAICT, although it might be coming soon dependabot/dependabot-core#1524 dependabot/dependabot-core#13977

also these should probably be frozen to the git hash with a comment of what the version is similar to what's being done in the github actions to mitigate supply chain attacks

Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out prek has this using https://prek.j178.dev/cli/#prek-auto-update so we just need to add it as a workflow

Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright claude implemented a simple auto updater in this commit 79a8adf
but we need to configure a github app id and secret and have it set org-wide

instructions on how to do that are here
https://github.com/actions/create-github-app-token?tab=readme-ov-file#usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninja3047 Ninja3047 Ninja3047 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dguido @Ninja3047