rhiza 0.9.0__tar.gz → 0.10.0__tar.gz

rhiza-0.10.0/.github/actions/configure-git-auth/README.md

@@ -0,0 +1,74 @@
+# Configure Git Auth for Private Packages
+
+This composite action configures git to use token authentication for private GitHub packages.
+
+## Usage
+
+Add this step before installing dependencies that include private GitHub packages:
+
+```yaml
+- name: Configure git auth for private packages
+  uses: ./.github/actions/configure-git-auth
+  with:
+    token: ${{ secrets.GH_PAT }}
+```
+
+The `GH_PAT` secret should be a Personal Access Token with `repo` scope.
+
+## What It Does
+
+This action runs:
+
+```bash
+git config --global url."https://<token>@github.com/".insteadOf "https://github.com/"
+```
+
+This tells git to automatically inject the token into all HTTPS GitHub URLs, enabling access to private repositories.
+
+## When to Use
+
+Use this action when your project has dependencies defined in `pyproject.toml` like:
+
+```toml
+[tool.uv.sources]
+private-package = { git = "https://github.com/your-org/private-package.git", rev = "v1.0.0" }
+```
+
+## Token Requirements
+
+The default `GITHUB_TOKEN` does **not** have access to other private repositories, even within the same organization. You must use a Personal Access Token (PAT) with `repo` scope stored as `secrets.GH_PAT`.
+
+If `secrets.GH_PAT` is not defined, GitHub Actions passes an empty string. The action will still run successfully, but any subsequent step that tries to access private repositories will fail with an authentication error.
+
+## Example Workflow
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest
+```
+
+## See Also
+
+- [PRIVATE_PACKAGES.md](../../../.rhiza/docs/PRIVATE_PACKAGES.md) - Complete guide to using private packages
+- [TOKEN_SETUP.md](../../../.rhiza/docs/TOKEN_SETUP.md) - Setting up Personal Access Tokens

rhiza-0.10.0/.github/actions/configure-git-auth/action.yml

@@ -0,0 +1,20 @@
+name: 'Configure Git Auth for Private Packages'
+description: 'Configure git to use token authentication for private GitHub packages'
+
+inputs:
+  token:
+    description: 'GitHub token to use for authentication (use github.token)'
+    required: false
+    default: ${{ github.token }}
+
+runs:
+  using: composite
+  steps:
+    - name: Configure git authentication
+      shell: bash
+      run: |
+        # Configure git to use token authentication for GitHub URLs
+        # This allows uv/pip to install private packages from GitHub
+        git config --global url."https://${{ inputs.token }}@github.com/".insteadOf "https://github.com/"
+
+        echo "✓ Git configured to use token authentication for GitHub"

rhiza-0.10.0/.github/workflows/rhiza_benchmarks.yml

@@ -0,0 +1,87 @@
+# This file is part of the jebel-quant/rhiza repository
+# (https://github.com/jebel-quant/rhiza).
+#
+# Workflow: Performance Benchmarks
+#
+# Purpose: Run performance benchmarks and detect regressions.
+#
+# Trigger: On push to main/master branches, PRs, and manual trigger.
+#
+# Regression Detection:
+#   - Compares against previous benchmark results stored in gh-pages branch
+#   - Alerts if performance degrades by more than 150% (configurable)
+#   - PRs will show a warning comment but not fail
+#   - Main branch updates the baseline for future comparisons
+
+name: "(RHIZA) BENCHMARKS"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  workflow_dispatch:
+
+jobs:
+  benchmark:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6.0.2
+        with:
+          lfs: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.2.1
+        with:
+          version: "0.9.30"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Run benchmarks
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: |
+          make benchmark
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@v6.0.0
+        if: always()
+        with:
+          name: benchmark-results
+          path: |
+            _benchmarks/benchmarks.json
+            _benchmarks/benchmarks.svg
+            _benchmarks/benchmarks.html
+
+      # Regression detection using github-action-benchmark
+      # Stores benchmark history in gh-pages branch under /benchmarks
+      # Alerts if performance degrades by more than 150% of baseline
+      - name: Store benchmark result and check for regression
+        uses: benchmark-action/github-action-benchmark@v1
+        # run this only if _benchmarks/benchmarks.json exists
+        if: hashFiles('_benchmarks/benchmarks.json') != ''
+        with:
+          tool: 'pytest'
+          output-file-path: _benchmarks/benchmarks.json
+          # Store benchmark data in gh-pages branch
+          gh-pages-branch: gh-pages
+          benchmark-data-dir-path: benchmarks
+          # Only update baseline on main branch push (not PRs)
+          auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          # Alert if performance degrades by more than 150%
+          alert-threshold: '150%'
+          # Post comment on PR if regression detected
+          comment-on-alert: ${{ github.event_name == 'pull_request' }}
+          # Fail workflow if regression detected (disabled for PRs to allow investigation)
+          fail-on-alert: ${{ github.event_name == 'push' }}
+          # GitHub token for pushing to gh-pages and commenting
+          github-token: ${{ secrets.GITHUB_TOKEN }}

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_book.yml

@@ -36,30 +36,38 @@ jobs:
 
     steps:
       # Check out the repository code
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.2.1
         with:
-          version: "0.9.26"
+          version: "0.9.30"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: "Sync the virtual environment for ${{ github.repository }}"
         shell: bash
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
-          export UV_EXTRA_INDEX_URL="${{ secrets.uv-extra-index-url }}"
           # will just use .python-version?
           uv sync --all-extras --all-groups --frozen
 
       - name: "Make the book"
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
-          make -f .rhiza/rhiza.mk book
+          make book
 
       # Step 5: Package all artifacts for GitHub Pages deployment
       # This prepares the combined outputs for deployment by creating a single artifact
       - name: Upload static files as artifact
-        uses: actions/upload-pages-artifact@v4  # Official GitHub Pages artifact upload action
+        uses: actions/upload-pages-artifact@v4.0.0  # Official GitHub Pages artifact upload action
         with:
           path: _book/  # Path to the directory containing all artifacts to deploy
 
@@ -70,5 +78,5 @@ jobs:
       # If PUBLISH_COMPANION_BOOK is not set, it defaults to allowing deployment
       - name: Deploy to GitHub Pages
         if: ${{ !github.event.repository.fork && (vars.PUBLISH_COMPANION_BOOK == 'true' || vars.PUBLISH_COMPANION_BOOK == '') }}
-        uses: actions/deploy-pages@v4  # Official GitHub Pages deployment action
+        uses: actions/deploy-pages@v4.0.5  # Official GitHub Pages deployment action
         continue-on-error: true

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_ci.yml

@@ -24,14 +24,23 @@ jobs:
     outputs:
       matrix: ${{ steps.versions.outputs.list }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
+        with:
+          lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.2.1
         with:
-          version: "0.9.26"
+          version: "0.9.30"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+          
       - id: versions
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
           # Generate Python versions JSON from the script
           JSON=$(make -f .rhiza/rhiza.mk -s version-matrix)
@@ -51,16 +60,46 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
         with:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.2.1
         with:
-          version: "0.9.26"
+          version: "0.9.30"
           python-version: ${{ matrix.python-version }}
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run tests
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
+        run: |
+          make test
+
+
+  docs-coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.2.1
+        with:
+          version: "0.9.30"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Check docs coverage
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
-          make -f .rhiza/rhiza.mk test
+          make docs-coverage

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_codeql.yml

@@ -81,8 +81,12 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v6.0.2
 
+    - name: Configure git auth for private packages
+      uses: ./.github/actions/configure-git-auth
+      with:
+        token: ${{ secrets.GH_PAT }}
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
     # or others). This is typically only required for manual builds.
@@ -91,7 +95,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@v4.32.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -120,6 +124,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@v4.32.1
       with:
         category: "/language:${{matrix.language}}"

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_deptry.yml

@@ -27,13 +27,18 @@ jobs:
     name: Check dependencies with deptry
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/astral-sh/uv:0.9.26-python3.12-trixie
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: Run deptry
-        run: make -f .rhiza/rhiza.mk deptry
+        run: make deptry
         # NOTE: make deptry is good style because it encapsulates the folders to check
         # (e.g. src and book/marimo) and keeps CI in sync with local development.
         # Since we use a 'uv' container, the Makefile is optimised to use the

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_marimo.yml

@@ -34,13 +34,14 @@ jobs:
       notebook-list: ${{ steps.notebooks.outputs.matrix }}
     steps:
       # Check out the repository code
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
 
       # Find all Python files in the marimo folder and create a matrix for parallel execution
       - name: Find notebooks and build matrix
         id: notebooks
         run: |
           # Extract MARIMO_FOLDER from the project configuration (via Makefile)
+          # shellcheck disable=SC2016 # Single quotes intentional - Make syntax, not shell expansion
           NOTEBOOK_DIR=$(make -s -f Makefile -f - <<< 'print: ; @echo $(or $(MARIMO_FOLDER),marimo)' print)
 
           echo "Searching notebooks in: $NOTEBOOK_DIR"
@@ -74,18 +75,25 @@ jobs:
     name: Run notebook ${{ matrix.notebook }}
     steps:
       # Check out the repository code
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           lfs: true
 
       # Install uv/uvx
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v7.2.1
         with:
-          version: "0.9.26"
+          version: "0.9.30"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       # Execute the notebook with the appropriate runner based on its content
       - name: Run notebook
+        env:
+          UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
         run: |
           uvx uv run "${{ matrix.notebook }}"
           # uvx → creates a fresh ephemeral environment

rhiza-0.10.0/.github/workflows/rhiza_mypy.yml

@@ -0,0 +1,39 @@
+# This file is part of the jebel-quant/rhiza repository
+# (https://github.com/jebel-quant/rhiza).
+#
+# Workflow: Mypy
+#
+# Purpose: Run static type checking with mypy in strict mode to ensure
+#          type safety across the codebase.
+#
+# Trigger: On push and pull requests to main/master branches.
+
+name: "(RHIZA) MYPY"
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+
+jobs:
+  mypy:
+    name: Static type checking with mypy
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      # to brutal for now
+      # - name: Run mypy
+      #   run: make -f .rhiza/rhiza.mk mypy

{rhiza-0.9.0 → rhiza-0.10.0}/.github/workflows/rhiza_pre-commit.yml

@@ -29,9 +29,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       # Run pre-commit
       - name: Run pre-commit
         run: |
-          make -f .rhiza/rhiza.mk fmt
+          make fmt