Skip to content

Add stricter configuration defaults#157

Open
dguido wants to merge 4 commits intomainfrom
stricter-config
Open

Add stricter configuration defaults#157
dguido wants to merge 4 commits intomainfrom
stricter-config

Conversation

@dguido
Copy link
Member

@dguido dguido commented Jan 26, 2026

Summary

  • Bump minimum Python version to 3.11 (removes 3.10 from CI matrix)
  • Add security pre-commit hooks: shellcheck, actionlint, zizmor
  • Stricter ruff config: src path for first-party imports, docstring-code-format
  • Stricter coverage: branch coverage enabled, standard exclude patterns
  • Add pip-audit dependency group for vulnerability scanning

Test plan

  • Generated CLI project passes make lint && make test
  • Generated library project passes make lint && make test
  • Pre-commit hooks run successfully (actionlint, zizmor verified)
  • Branch coverage appears in test output
  • uv run pip-audit runs successfully

🤖 Generated with Claude Code

@dguido @claude
Add stricter configuration defaults
23ece6f 
- Bump minimum Python to 3.11, remove 3.10 from CI matrix
- Add security pre-commit hooks: shellcheck, actionlint, zizmor
- Add ruff src path and docstring-code-format settings
- Enable branch coverage with standard exclude patterns
- Add pip-audit dependency group for vulnerability scanning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ninja3047
Ninja3047 reviewed Jan 26, 2026
View reviewed changes
{{cookiecutter.project_slug}}/.pre-commit-config.yaml Outdated

# Shell script linting
- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.11.0
Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there should be a plan for keeping these up to date
dependabot doesn't appear to support keeping these up to date AFAICT, although it might be coming soon dependabot/dependabot-core#1524 dependabot/dependabot-core#13977

also these should probably be frozen to the git hash with a comment of what the version is similar to what's being done in the github actions to mitigate supply chain attacks

Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out prek has this using https://prek.j178.dev/cli/#prek-auto-update so we just need to add it as a workflow

Copy link
Contributor

@Ninja3047 Ninja3047 Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright claude implemented a simple auto updater in this commit 79a8adf
but we need to configure a github app id and secret and have it set org-wide

instructions on how to do that are here
https://github.com/actions/create-github-app-token?tab=readme-ov-file#usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninja3047 Ninja3047 Ninja3047 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dguido @Ninja3047