Refactor workflows for dependency management and update documentation

[GabrielBG0]

Describe your changes

Migrate all CI workflows from pip to uv, harden them against supply chain attacks by pinning actions to immutable commit SHAs, and migrate PyPI publishing to OIDC Trusted Publishing.

CI tooling migration (pip → uv):

• All four workflows (auto-format, continuous-testing, docs, release_to_pypi) now use astral-sh/setup-uv instead of actions/setup-python + pip. Python invocations are replaced with uvx / uv run / uv sync --extra <group>.
• Added uv.lock to the repository.

Supply chain hardening (Mini Shai-Hulud response):

• All GitHub Actions pinned to full 40-character commit SHAs with a trailing # vX.Y.Z comment for readability. No mutable version tags (@v4, @v5, etc.) remain.
• peaceiris/actions-gh-pages upgraded from v3 → v4.1.0 (SHA-pinned) in the docs workflow.
• Explicit permissions scopes added to each workflow/job — no workflow relies on the default broad token permissions.

PyPI Trusted Publishing (OIDC — no stored token):

• release_to_pypi.yml migrated from uv publish + PYPI_API_TOKEN_MINERVA secret to pypa/gh-action-pypi-publish with id-token: write. No API token is stored or used.
• Release job linked to the new pypi protected GitHub environment (requires reviewer approval before publishing).

Docs fixes:

• Fixed duplicate/incorrect html_theme assignment in docs/conf.py.
• Switched Sphinx theme to Furo (html_theme = "furo") for improved documentation styling.
• Updated docs/installation.md and README.md to reflect uv-based setup instructions.

Issue ticket number and link (If apply)

N/A

Checklist before requesting a review

• I have performed a self-review of my code.
• I have added tests to this functionality.
• All tests are passing.
• I have updated the documentation as needed.
• I have followed the project's coding guidelines.

Summary by CodeRabbit

• New Features

  • Minerva is now available on PyPI for production installation.

• Documentation

  • Installation, development, and testing instructions updated to use a modern tooling workflow (including PyPI install guidance).
  • Contributor guide refreshed with updated dependency and test workflows.
  • Documentation theme refreshed for improved visual design.

• Chores

  • CI, formatting, docs build, and release workflows modernized and hardened.

[coderabbitai]

Warning

Rate limit exceeded

@GabrielBG0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 52 minutes and 30 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f0a3d941-1b2c-4f48-95f1-bda3c56a6cdf

📥 Commits

Reviewing files that changed from the base of the PR and between 409796e and 9cf2896.

📒 Files selected for processing (1)

• .github/workflows/continuous-testing.yml

📝 Walkthrough

Walkthrough

This PR standardizes the Minerva project's build and development tooling on uv: GitHub Actions workflows (format, CI, docs, release) are migrated to setup-uv/uv commands and pinned actions; documentation and contributor/user guides are updated to recommend uv; Sphinx theme changed to furo.

Changes

uv Toolchain Standardization

Layer / File(s)	Summary
Auto-format workflow migration to uv .github/workflows/auto-format.yml	Auto-format workflow now pins actions and executes Black via uv run --frozen instead of installing Black with pip and running it directly.
Continuous testing workflow migration to uv .github/workflows/continuous-testing.yml	CI switches from setup-python/pip installs to astral-sh/setup-uv + uv sync --extra dev, and runs Black, pytest (with coverage), and interrogate via uv run.
Documentation build workflow migration to uv .github/workflows/docs.yaml	Docs job adds contents: write permissions, replaces setup-python/pip installs with uv sync --extra docs, preserves pandoc step, and pins gh-pages deploy action to a specific commit.
Release to PyPI workflow modernization .github/workflows/release_to_pypi.yml	Release workflow adds explicit permissions (including id-token: write), targets pypi environment, installs uv, builds with uv build, and publishes via pypa/gh-action-pypi-publish.
Documentation theme migration and furo dependency docs/conf.py, pyproject.toml	Sphinx config switched to the furo theme and pyproject.toml adds furo to the docs extra.
User installation and testing documentation README.md, docs/installation.md	README and installation docs updated to state PyPI availability and recommend uv commands for installation and running tests/coverage.
Contributor guidelines update CONTRIBUTING.md	Contributor guide updated to use uv sync --extra dev and uv run pytest, and to add dependencies in pyproject.toml.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: workflows refactored for dependency management (pip → uv) and documentation updated.
Description check	✅ Passed	The description is comprehensive and covers all key changes, objectives, and checklist items, though new dependencies section is not applicable here.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/docs.yaml (1)

29-36: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the docs build through uv run to ensure dependencies are available.

The workflow installs docs dependencies via uv sync --extra docs, but then runs make html in a plain shell without activating that environment. The Sphinx build tool (sphinx-build) is a Python dependency installed by uv sync, and without uv run, it may not be available on the PATH. Per uv's documentation, commands that depend on the synced environment should be executed through uv run.

Suggested change

-    - name: Build docs
-      run: |
-        cd docs
-        make clean
-        make html
+    - name: Build docs
+      run: uv run -- make -C docs clean html

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yaml around lines 29 - 36, The docs build step runs
"make html" outside the uv-managed environment, so sphinx may not be on PATH;
modify the "Build docs" step to execute the make commands through uv (e.g., use
"uv run -- make -C docs clean html" or "uv run -- sh -c 'cd docs && make clean
&& make html'") so the Sphinx dependency installed by the "Install project with
docs dependencies" (uv sync --extra docs) is available; update the "Build docs"
step to call uv run instead of a plain shell invocation.

🧹 Nitpick comments (1)

.github/workflows/continuous-testing.yml (1)

42-42: ⚡ Quick win

Use frozen sync in CI for lockfile enforcement.

Line 42 should use --frozen so CI doesn’t silently re-resolve dependencies.

Suggested change

-        run: uv sync --extra dev
+        run: uv sync --extra dev --frozen

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-testing.yml at line 42, Replace the existing CI
sync invocation to enforce lockfile usage: update the command that currently
runs "uv sync --extra dev" to include the --frozen flag (e.g., change the
invocation in the workflow step that runs the uv sync command to use --frozen so
CI fails if the lockfile would be changed).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-format.yml:
- Around line 28-38: Replace the direct invocation "uvx black minerva tests" in
the "Run black formatter" step with a lockfile-backed invocation so CI uses the
pinned Black from the repo lockfile (project dev deps in pyproject.toml);
specifically change the command run by the "Run black formatter" step (currently
using "uvx black minerva tests") to call uvx with the lockfile (e.g. "uvx run
--lockfile=<lockfile> black minerva tests") so the workflow consistently uses
the pinned Black (26.5.0) rather than the latest PyPI release.

In @.github/workflows/continuous-testing.yml:
- Around line 35-36: The workflow still references the mutable tag "uses:
astral-sh/setup-uv@v5"; replace that with a pinned full commit SHA (e.g., "uses:
astral-sh/setup-uv@<COMMIT_SHA>") to match the hardening applied
elsewhere—locate the "uses: astral-sh/setup-uv@v5" entry in the workflow and
update it to the exact commit SHA, ensuring any other occurrences are similarly
pinned and that the chosen SHA is verified for compatibility.

In `@docs/conf.py`:
- Line 65: The line concatenates two assignments into invalid Python; split the
single line into two separate assignments so htmlhelp_basename = "minerva_docs"
and source_encoding = "utf-8" are on their own lines (locate the assignments by
the symbols htmlhelp_basename and source_encoding in conf.py and place a line
break between them).

---

Outside diff comments:
In @.github/workflows/docs.yaml:
- Around line 29-36: The docs build step runs "make html" outside the uv-managed
environment, so sphinx may not be on PATH; modify the "Build docs" step to
execute the make commands through uv (e.g., use "uv run -- make -C docs clean
html" or "uv run -- sh -c 'cd docs && make clean && make html'") so the Sphinx
dependency installed by the "Install project with docs dependencies" (uv sync
--extra docs) is available; update the "Build docs" step to call uv run instead
of a plain shell invocation.

---

Nitpick comments:
In @.github/workflows/continuous-testing.yml:
- Line 42: Replace the existing CI sync invocation to enforce lockfile usage:
update the command that currently runs "uv sync --extra dev" to include the
--frozen flag (e.g., change the invocation in the workflow step that runs the uv
sync command to use --frozen so CI fails if the lockfile would be changed).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 05bb1165-74a3-461f-b4b3-8eb34ac185ad

📥 Commits

Reviewing files that changed from the base of the PR and between 7df0485 and da9532e.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• .github/workflows/auto-format.yml
• .github/workflows/continuous-testing.yml
• .github/workflows/docs.yaml
• .github/workflows/release_to_pypi.yml
• CONTRIBUTING.md
• README.md
• docs/conf.py
• docs/installation.md
• pyproject.toml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/continuous-testing.yml:
- Line 33: Replace the mutable tag for the checkout action with the pinned SHA:
change the step that currently says "uses: actions/checkout@v4" to "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" so this workflow uses
the same fixed commit as the other workflows and closes the supply-chain
hardening gap.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c9e668a8-7981-4b6e-b05a-60c79445bce5

📥 Commits

Reviewing files that changed from the base of the PR and between da9532e and 409796e.

📒 Files selected for processing (3)

• .github/workflows/auto-format.yml
• .github/workflows/continuous-testing.yml
• docs/conf.py