rhiza 0.5.6__tar.gz → 0.6.0__tar.gz

rhiza-0.6.0/.github/dependabot.yml

@@ -0,0 +1,59 @@
+# This file is part of the jebel-quant/rhiza repository
+# (https://github.com/jebel-quant/rhiza).
+#
+# Configuration: Dependabot
+#
+# Purpose: Automate dependency updates for Python packages, GitHub Actions, and Docker images.
+#
+# Documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Python dependencies (pip/pyproject.toml)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+      timezone: "Asia/Dubai"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore(deps)"
+      prefix-development: "chore(deps-dev)"
+      include: "scope"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+      timezone: "Asia/Dubai"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  # Docker
+  - package-ecosystem: "docker"
+    directory: "/docker"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+      timezone: "Asia/Dubai"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"

{rhiza-0.5.6/.github → rhiza-0.6.0/.github/rhiza}/copilot-instructions.md

@@ -125,7 +125,7 @@ The project uses pre-commit hooks that run automatically on commit:
 
 The CLI uses Typer for command definitions. Commands are thin wrappers in `cli.py` that delegate to implementations in `rhiza.commands.*`:
 
-- `init`: Initialize or validate `.github/template.yml`
+- `init`: Initialize or validate `.github/rhiza/template.yml`
 - `materialize` (alias `inject`): Apply templates to a target repository
 - `validate`: Validate template configuration
 
@@ -178,9 +178,9 @@ See `pyproject.toml` for complete list. Key dev dependencies:
 ```python
 from pathlib import Path
 
-target = Path(".")  # Use Path objects, not strings
+target = Path("..")  # Use Path objects, not strings
 if target.exists():
-    # Do something
+# Do something
 ```
 
 ### Logging
@@ -229,14 +229,14 @@ def safe_operation(path: Path):
     try:
         # Normalize path to prevent traversal
         path = path.resolve()
-        
+
         if not path.exists():
             logger.error(f"Path does not exist: {path}")
             raise FileNotFoundError(f"Path not found: {path}")
-            
+
         # Perform operation
         return True
-        
+
     except PermissionError as e:
         logger.error(f"Permission denied: {e}")
         raise
@@ -275,7 +275,7 @@ from loguru import logger
 
 def my_new_command(target: Path):
     """Execute the new command.
-    
+
     Parameters
     ----------
     target:

{rhiza-0.5.6/.github → rhiza-0.6.0/.github/rhiza}/template.yml

@@ -1,6 +1,6 @@
 template-repository: "jebel-quant/rhiza"
 template-branch: "main"
-include: 
+include:
     - .github
     - tests
     - .editorconfig
@@ -11,6 +11,8 @@ include:
     - Makefile
     - ruff.toml
     - pytest.ini
+    - presentation
+    - book
 exclude:
     - .github/workflows/docker.yml
     - .github/workflows/devcontainer.yml

{rhiza-0.5.6 → rhiza-0.6.0}/.github/scripts/book.sh

@@ -21,12 +21,15 @@ printf "%b[INFO] Create empty _book folder...%b\n" "$BLUE" "$RESET"
 mkdir -p _book
 
 # Start building links.json content without jq
+# We manually construct JSON by concatenating strings
+# This avoids the dependency on jq while maintaining valid JSON output
 LINKS_ENTRIES=""
 
 printf "%b[INFO] Copy API docs...%b\n" "$BLUE" "$RESET"
 if [ -f _pdoc/index.html ]; then
   mkdir -p _book/pdoc
   cp -r _pdoc/* _book/pdoc
+  # Start building JSON entries - first entry doesn't need a comma prefix
   LINKS_ENTRIES='"API": "./pdoc/index.html"'
 fi
 
@@ -34,6 +37,7 @@ printf "%b[INFO] Copy coverage report...%b\n" "$BLUE" "$RESET"
 if [ -f _tests/html-coverage/index.html ]; then
   mkdir -p _book/tests/html-coverage
   cp -r _tests/html-coverage/* _book/tests/html-coverage
+  # Add comma separator if there are existing entries
   if [ -n "$LINKS_ENTRIES" ]; then
     LINKS_ENTRIES="$LINKS_ENTRIES, \"Coverage\": \"./tests/html-coverage/index.html\""
   else
@@ -71,9 +75,12 @@ else
 fi
 
 # Write final links.json
+# Wrap the accumulated entries in JSON object syntax
 if [ -n "$LINKS_ENTRIES" ]; then
+  # If we have entries, create a proper JSON object with them
   printf '{%s}\n' "$LINKS_ENTRIES" > _book/links.json
 else
+  # If no entries were found, create an empty JSON object
   printf '{}\n' > _book/links.json
 fi
 

{rhiza-0.5.6 → rhiza-0.6.0}/.github/scripts/bump.sh

@@ -90,7 +90,8 @@ do_bump() {
     4)
       printf "Enter version: "
       read -r VERSION
-      # Strip 'v' prefix if present
+      # Strip 'v' prefix if present (e.g., "v1.2.3" becomes "1.2.3")
+      # This ensures consistency since uv expects semantic versions without 'v'
       VERSION=$(echo "$VERSION" | sed 's/^v//')
       ;;
     *)
@@ -100,6 +101,7 @@ do_bump() {
   esac
 
   # Get current branch
+  # Using git rev-parse to get the symbolic name of HEAD (current branch)
   CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
   if [ -z "$CURRENT_BRANCH" ]; then
     printf "%b[ERROR] Could not determine current branch%b\n" "$RED" "$RESET"
@@ -107,6 +109,8 @@ do_bump() {
   fi
 
   # Determine default branch
+  # Query remote to find the default branch (e.g., 'main' or 'master')
+  # This ensures we warn users if they're bumping version on a non-default branch
   DEFAULT_BRANCH=$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5)
   if [ -z "$DEFAULT_BRANCH" ]; then
     printf "%b[ERROR] Could not determine default branch from remote%b\n" "$RED" "$RESET"
@@ -123,7 +127,9 @@ do_bump() {
   printf "%b[INFO] Current version: %s%b\n" "$BLUE" "$CURRENT_VERSION" "$RESET"
 
   # Determine the new version using uv version with --dry-run first
+  # Using --dry-run ensures we validate the version change before applying it
   if [ -n "$TYPE" ]; then
+    # For bump types (patch/minor/major), calculate what the new version will be
     printf "%b[INFO] Bumping version using: %s%b\n" "$BLUE" "$TYPE" "$RESET"
     NEW_VERSION=$("$UV_BIN" version --bump "$TYPE" --dry-run --short 2>/dev/null)
     if [ $? -ne 0 ] || [ -z "$NEW_VERSION" ]; then
@@ -131,7 +137,8 @@ do_bump() {
       exit 1
     fi
   else
-    # Validate the version format by having uv try it with --dry-run
+    # For explicit versions, validate the format using dry-run mode
+    # This catches invalid semver formats before we modify pyproject.toml
     if ! "$UV_BIN" version "$VERSION" --dry-run >/dev/null 2>&1; then
       printf "%b[ERROR] Invalid version format: %s%b\n" "$RED" "$VERSION" "$RESET"
       printf "uv rejected this version. Please use a valid semantic version.\n"
@@ -145,11 +152,15 @@ do_bump() {
   TAG="v$NEW_VERSION"
 
   # Check if tag already exists
+  # Prevent creating duplicate tags by checking both local and remote repositories
+  # git rev-parse succeeds if the tag exists locally
   if git rev-parse "$TAG" >/dev/null 2>&1; then
     printf "%b[ERROR] Tag '%s' already exists locally%b\n" "$RED" "$TAG" "$RESET"
     exit 1
   fi
 
+  # git ls-remote checks if the tag exists on the remote repository
+  # --exit-code returns 2 if the ref is not found, which we want
   if git ls-remote --exit-code --tags origin "refs/tags/$TAG" >/dev/null 2>&1; then
     printf "%b[ERROR] Tag '%s' already exists on remote%b\n" "$RED" "$TAG" "$RESET"
     exit 1
@@ -201,7 +212,9 @@ do_bump() {
 
     printf "%b[INFO] Committing version change...%b\n" "$BLUE" "$RESET"
     git add pyproject.toml
-    git add uv.lock 2>/dev/null || true  # In case uv modifies the lock file
+    # Add uv.lock if it exists and was modified (uv may update it during version bump)
+    # Using || true ensures the script continues even if uv.lock doesn't exist
+    git add uv.lock 2>/dev/null || true
     git commit -m "$COMMIT_MSG"
 
     printf "%b[SUCCESS] Version committed with message: '%s'%b\n" "$GREEN" "$COMMIT_MSG" "$RESET"

{rhiza-0.5.6 → rhiza-0.6.0}/.github/scripts/marimushka.sh

@@ -24,8 +24,11 @@ fi
 mkdir -p "$MARIMUSHKA_OUTPUT"
 
 # Discover .py files (top-level only) using globbing; handle no-match case
+# Using shell globbing to find all .py files in the notebook folder
+# The set command expands the glob pattern; if no files match, the pattern itself is returned
 set -- "$MARIMO_FOLDER"/*.py
 if [ "$1" = "$MARIMO_FOLDER/*.py" ]; then
+  # No Python files found - the glob pattern didn't match any files
   printf "%b[WARN] No Python files found in '%s'.%b\n" "$YELLOW" "$MARIMO_FOLDER" "$RESET"
   # Create a minimal index.html indicating no notebooks
   printf '<html><head><title>Marimo Notebooks</title></head><body><h1>Marimo Notebooks</h1><p>No notebooks found.</p></body></html>' > "$MARIMUSHKA_OUTPUT/index.html"
@@ -37,13 +40,17 @@ CURRENT_DIR=$(pwd)
 OUTPUT_DIR="$CURRENT_DIR/$MARIMUSHKA_OUTPUT"
 
 # Resolve UVX_BIN to absolute path if it's a relative path (contains / but doesn't start with /)
+# This is necessary because we'll change directory later and need absolute paths
+# Case 1: Already absolute (starts with /) - no change needed
+# Case 2: Relative path with / (e.g., ./bin/uvx) - convert to absolute
+# Case 3: Command name only (e.g., uvx) - leave as-is to search in PATH
 case "$UVX_BIN" in
   /*) ;;
   */*) UVX_BIN="$CURRENT_DIR/$UVX_BIN" ;;
   *) ;;
 esac
 
-# Resolve UV_BIN to absolute path
+# Resolve UV_BIN to absolute path using the same logic
 case "$UV_BIN" in
   /*) ;;
   */*) UV_BIN="$CURRENT_DIR/$UV_BIN" ;;
@@ -51,13 +58,20 @@ case "$UV_BIN" in
 esac
 
 # Derive UV_INSTALL_DIR from UV_BIN
+# This directory is passed to marimushka so it can find uv for processing notebooks
 UV_INSTALL_DIR=$(dirname "$UV_BIN")
 
 # Change to the notebook directory to ensure relative paths in notebooks work correctly
+# Marimo notebooks may contain relative imports or file references
 cd "$MARIMO_FOLDER"
 
 # Run marimushka export
+# - --notebooks: directory containing .py notebooks
+# - --output: where to write HTML files
+# - --bin-path: where marimushka can find the uv binary for processing
 "$UVX_BIN" "marimushka>=0.1.9" export --notebooks "." --output "$OUTPUT_DIR" --bin-path "$UV_INSTALL_DIR"
 
 # Ensure GitHub Pages does not process with Jekyll
+# The : command is a no-op that creates an empty file
+# .nojekyll tells GitHub Pages to serve files as-is without Jekyll processing
 : > "$OUTPUT_DIR/.nojekyll"

{rhiza-0.5.6 → rhiza-0.6.0}/.github/scripts/release.sh

@@ -134,29 +134,39 @@ do_release() {
   fi
 
   # Check if branch is up-to-date with remote
+  # This prevents releasing from an out-of-sync branch which could miss commits or conflict
   printf "%b[INFO] Checking remote status...%b\n" "$BLUE" "$RESET"
   git fetch origin >/dev/null 2>&1
+  # Get the upstream tracking branch (e.g., origin/main)
   UPSTREAM=$(git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null)
   if [ -z "$UPSTREAM" ]; then
     printf "%b[ERROR] No upstream branch configured for %s%b\n" "$RED" "$CURRENT_BRANCH" "$RESET"
     exit 1
   fi
   
+  # Compare local, remote, and merge-base commits to determine sync status
+  # LOCAL: current commit on local branch
+  # REMOTE: current commit on remote tracking branch
+  # BASE: most recent common ancestor between local and remote
   LOCAL=$(git rev-parse @)
   REMOTE=$(git rev-parse "$UPSTREAM")
   BASE=$(git merge-base @ "$UPSTREAM")
   
+  # Use git revision comparison to detect branch status
   if [ "$LOCAL" != "$REMOTE" ]; then
     if [ "$LOCAL" = "$BASE" ]; then
+        # Local is behind remote (need to pull)
         printf "%b[ERROR] Your branch is behind '%s'. Please pull changes.%b\n" "$RED" "$UPSTREAM" "$RESET"
         exit 1
     elif [ "$REMOTE" = "$BASE" ]; then
+        # Local is ahead of remote (need to push)
         printf "%b[WARN] Your branch is ahead of '%s'.%b\n" "$YELLOW" "$UPSTREAM" "$RESET"
         printf "Unpushed commits:\n"
         git log --oneline --graph --decorate "$UPSTREAM..HEAD"
         prompt_continue "Push changes to remote before releasing?"
         git push origin "$CURRENT_BRANCH"
     else
+        # Branches have diverged (need to merge or rebase)
         printf "%b[ERROR] Your branch has diverged from '%s'. Please reconcile.%b\n" "$RED" "$UPSTREAM" "$RESET"
         exit 1
     fi
@@ -182,7 +192,9 @@ do_release() {
     printf "Creating tag '%s' for version %s\n" "$TAG" "$CURRENT_VERSION"
     prompt_continue ""
     
-    # check for gpg signing config
+    # Check if GPG signing is configured for git commits/tags
+    # If user.signingkey is set or commit.gpgsign is true, create a signed tag
+    # Signed tags provide cryptographic verification of release authenticity
     if git config --get user.signingkey >/dev/null 2>&1 || [ "$(git config --get commit.gpgsign)" = "true" ]; then
       printf "%b[INFO] GPG signing is enabled. Creating signed tag.%b\n" "$BLUE" "$RESET"
       git tag -s "$TAG" -m "Release $TAG"
@@ -197,17 +209,22 @@ do_release() {
   printf "\n%b=== Step 2: Push Tag to Remote ===%b\n" "$BLUE" "$RESET"
   printf "Pushing tag '%s' to origin will trigger the release workflow.\n" "$TAG"
   
-  # Show what commits are in this tag
+  # Show what commits are in this tag compared to the last tag
+  # This helps users understand what changes are included in the release
   LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
   if [ -n "$LAST_TAG" ] && [ "$LAST_TAG" != "$TAG" ]; then
+    # Count commits between last tag and current tag
     COMMIT_COUNT=$(git rev-list "$LAST_TAG..$TAG" --count 2>/dev/null || echo "0")
     printf "Commits since %s: %s\n" "$LAST_TAG" "$COMMIT_COUNT"
   fi
   
   prompt_continue ""
   
+  # Push only the specific tag (not all tags) to trigger the release workflow
   git push origin "refs/tags/$TAG"
   
+  # Extract repository name from remote URL for constructing GitHub Actions link
+  # Converts git@github.com:user/repo.git or https://github.com/user/repo.git to user/repo
   REPO_URL=$(git remote get-url origin | sed 's/.*github.com[:/]\(.*\)\.git/\1/')
   printf "\n%b[SUCCESS] Release tag %s pushed to remote!%b\n" "$GREEN" "$TAG" "$RESET"
   printf "%b[INFO] The release workflow will now be triggered automatically.%b\n" "$BLUE" "$RESET"

{rhiza-0.5.6 → rhiza-0.6.0}/.github/scripts/update-readme-help.sh

@@ -15,6 +15,8 @@ HELP_TEMP=$(mktemp)
 
 # Generate the help output from Makefile
 # Strip ANSI color codes and filter out make[1] directory messages
+# The sed command removes ANSI escape sequences (color codes) from the output
+# The grep commands filter out make's directory change messages
 make help 2>/dev/null | \
     sed 's/\x1b\[[0-9;]*m//g' | \
     grep -v "^make\[" | \
@@ -25,6 +27,8 @@ make help 2>/dev/null | \
 # Using a temporary file to avoid awk escaping issues
 # Temporarily disable exit-on-error to handle pattern not found gracefully
 set +e
+# The awk script processes the README.md file to find and replace the help section
+# It looks for the marker pattern, preserves the structure, and inserts updated help text
 awk -v helpfile="$HELP_TEMP" '
 BEGIN {
     in_help_block = 0
@@ -32,6 +36,7 @@ BEGIN {
 }
 
 # Detect start of help output block
+# This marker indicates where the Makefile help output should be inserted
 /^Run `make help` to see all available targets:$/ {
     print
     pattern_found = 1
@@ -40,6 +45,7 @@ BEGIN {
         print
     }
     getline
+    # If we find the code fence, start replacing the content
     if ($0 ~ /^```makefile$/) {
         print "```makefile"
         # Read and print help output from file
@@ -53,22 +59,26 @@ BEGIN {
 }
 
 # Skip lines inside the old help block
+# Once we hit the closing code fence, we stop skipping lines
 in_help_block == 1 && /^```$/ {
     print "```"
     in_help_block = 0
     next
 }
 
+# Continue skipping lines that are part of the old help output
 in_help_block == 1 {
     next
 }
 
-# Print all other lines
+# Print all other lines (outside the help block) unchanged
 {
     print
 }
 
 END {
+    # If we never found the pattern, notify but don'\''t fail
+    # This allows the script to work even if README structure changes
     if (pattern_found == 0) {
         print "INFO: No help section marker found in README.md - skipping update" > "/dev/stderr"
         exit 2
@@ -77,6 +87,8 @@ END {
 ' "$README_FILE" > "$TEMP_FILE"
 
 # Check if awk succeeded or pattern was not found
+# Exit code 2 means the pattern wasn't found (not an error)
+# Other non-zero codes indicate genuine errors
 awk_status=$?
 set -e
 if [ $awk_status -eq 2 ]; then

{rhiza-0.5.6 → rhiza-0.6.0}/.github/workflows/release.yml

@@ -7,7 +7,7 @@
 #
 # 📋 Pipeline Phases:
 #   1. 🔍 Validate Tag - Check tag format and ensure release doesn't already exist
-#   2. 🏗️  Build - Build Python package with Hatch (if pyproject.toml exists)
+#   2. 🏗️  Build - Build Python package with Hatch (if [build-system] is defined in pyproject.toml
 #   3. 📝 Draft Release - Create draft GitHub release with build artifacts
 #   4. 🚀 Publish to PyPI - Publish package using OIDC or custom feed
 #   5. 🐳 Publish Devcontainer - Build and publish devcontainer image (conditional)
@@ -76,7 +76,6 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          ref: ${{ github.ref }}
 
       - name: Set Tag Variable
         id: set_tag
@@ -130,16 +129,24 @@ jobs:
           fi
           echo "Version verified: $PROJECT_VERSION matches tag"
 
+      - name: Detect buildable Python package
+        id: buildable
+        run: |
+          if [[ -f pyproject.toml ]] && grep -q '^\[build-system\]' pyproject.toml; then
+            echo "buildable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "buildable=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Build
-        if: hashFiles('pyproject.toml') != ''
+        if: steps.buildable.outputs.buildable == 'true'
         run: |
           printf "[INFO] Building package...\n"
           uvx hatch build
 
 
       - name: Upload dist artifact
-        # not tested at runtime!
-        if: hashFiles('pyproject.toml') != ''
+        if: steps.buildable.outputs.buildable == 'true'
         uses: actions/upload-artifact@v6
         with:
           name: dist
@@ -174,7 +181,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          ref: ${{ github.ref }}
+          #ref: ${{ github.ref }}
 
       - name: Download dist artifact
         uses: actions/download-artifact@v7

{rhiza-0.5.6 → rhiza-0.6.0}/.github/workflows/scripts/version_matrix.py

@@ -24,18 +24,25 @@ def supported_versions() -> list[str]:
     Returns:
         list[str]: The supported versions (e.g., ["3.11", "3.12"]).
     """
+    # Load pyproject.toml using the tomllib standard library (Python 3.11+)
     with PYPROJECT.open("rb") as f:
         data = tomllib.load(f)
 
+    # Extract the requires-python field from project metadata
+    # This specifies the Python version constraint (e.g., ">=3.11")
     spec_str = data.get("project", {}).get("requires-python")
     if not spec_str:
         msg = "pyproject.toml: missing 'project.requires-python'"
         raise KeyError(msg)
 
+    # Parse the version specifier (e.g., ">=3.11,<3.14")
     spec = SpecifierSet(spec_str)
 
+    # Filter candidate versions to find which ones satisfy the constraint
     versions: list[str] = []
     for v in CANDIDATES:
+        # packaging.version.Version parses the version string
+        # The 'in' operator checks if the version satisfies the specifier
         if Version(v) in spec:
             versions.append(v)
 
@@ -47,6 +54,9 @@ def supported_versions() -> list[str]:
 
 
 if __name__ == "__main__":
+    # Check if pyproject.toml exists in the expected location
+    # If it exists, use it to determine supported versions
+    # Otherwise, fall back to returning all candidates (for edge cases)
     if PYPROJECT.exists():
         print(json.dumps(supported_versions()))
     else:

{rhiza-0.5.6 → rhiza-0.6.0}/.github/workflows/scripts/version_max.py

@@ -24,17 +24,22 @@ def max_supported_version() -> str:
     Returns:
         str: The maximum Python version (e.g., "3.13") satisfying the spec.
     """
+    # Load and parse pyproject.toml
     with PYPROJECT.open("rb") as f:
         data = tomllib.load(f)
 
+    # Extract and validate the requires-python constraint
     spec_str = data.get("project", {}).get("requires-python")
     if not spec_str:
         msg = "pyproject.toml: missing 'project.requires-python'"
         raise KeyError(msg)
 
+    # Create a SpecifierSet to check version compatibility
     spec = SpecifierSet(spec_str)
     max_version = None
 
+    # Iterate through candidates in order (ascending)
+    # The last matching version will be the maximum
     for v in CANDIDATES:
         if Version(v) in spec:
             max_version = v
@@ -47,6 +52,9 @@ def max_supported_version() -> str:
 
 
 if __name__ == "__main__":
+    # Check if pyproject.toml exists at the expected location
+    # If found, determine max version from requires-python
+    # Otherwise, default to 3.13 (latest stable as of this code)
     if PYPROJECT.exists():
         print(json.dumps(max_supported_version()))
     else:

rhiza-0.6.0/.github/workflows/security.yml

@@ -0,0 +1,23 @@
+name: SECURITY
+
+permissions:
+  contents: read
+  security-events: write
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+# Add to .github/workflows/security.yml (partial example)
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    if: github.repository_visibility != 'private'
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
+        with:
+          languages: python
+      - uses: github/codeql-action/autobuild@v4
+      - uses: github/codeql-action/analyze@v4

rhiza-0.6.0/.github/workflows/sync.yml

@@ -0,0 +1,91 @@
+name: RHIZA SYNC
+# This workflow synchronizes the repository with its template.
+# IMPORTANT: When workflow files (.github/workflows/*.yml) are modified,
+# a Personal Access Token (PAT) with 'workflow' scope is required.
+# The PAT_TOKEN secret must be set in repository secrets.
+# See .github/TOKEN_SETUP.md for setup instructions.
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      create-pr:
+        description: "Create a pull request"
+        type: boolean
+        default: true
+  schedule:
+    - cron: '0 0 * * 1'  # Weekly on Monday
+
+jobs:
+  sync:
+    if: ${{ github.repository != 'jebel-quant/rhiza' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.PAT_TOKEN || github.token }}
+          fetch-depth: 0
+
+      - name: Define sync branch name
+        id: branch
+        run: |
+          echo "name=rhiza/${{ github.run_id }}" >> "$GITHUB_OUTPUT"
+
+      - name: Check PAT_TOKEN configuration
+        shell: bash
+        env:
+          PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
+        run: |
+          if [ -z "$PAT_TOKEN" ]; then
+            echo "::warning::PAT_TOKEN secret is not configured."
+            echo "::warning::If this sync modifies workflow files, the push will fail."
+            echo "::warning::See .github/TOKEN_SETUP.md for setup instructions."
+          else
+            echo "✓ PAT_TOKEN is configured."
+          fi
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Sync template
+        id: sync
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          uvx rhiza materialize --force .
+
+          git add -A
+
+          if git diff --cached --quiet; then
+            echo "changes_detected=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "changes_detected=true" >> "$GITHUB_OUTPUT"
+
+          git config user.name  "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git commit -m "chore: Update via rhiza"
+          
+      - name: Create pull request
+        if: >
+          (github.event_name == 'schedule' || inputs.create-pr == true)
+          && steps.sync.outputs.changes_detected == 'true'
+        uses: peter-evans/create-pull-request@v8
+        with:
+          token: ${{ secrets.PAT_TOKEN || github.token }}
+          base: ${{ github.event.repository.default_branch }}
+          branch: ${{ steps.branch.outputs.name }}
+          delete-branch: true
+          title: "chore: Sync with rhiza"
+          body: |
+            This pull request synchronizes the repository with its template.
+
+            Changes were generated automatically using **rhiza**.