From 13dceddf61348e23b19a17aab03e444feef1b600 Mon Sep 17 00:00:00 2001 From: Nic van Dessel <51134175+nvandessel@users.noreply.github.com> Date: Sun, 29 Mar 2026 23:06:21 +0000 Subject: [PATCH 1/4] =?UTF-8?q?chore:=20repo=20hygiene=20=E2=80=94=20CodeQ?= =?UTF-8?q?L,=20Dependabot,=20SECURITY.md,=20badges,=20coverage=20in=20CI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add CodeQL scanning workflow (weekly + on PRs) - Add Dependabot config for pip and GitHub Actions - Add SECURITY.md with vulnerability reporting process - Add README badges (tests, CodeQL, license, Python version) - Add coverage reporting to CI test step - Set repo description and topics Co-Authored-By: Claude Opus 4.6 (1M context) --- .coverage | Bin 0 -> 53248 bytes .github/dependabot.yml | 13 +++++++++++++ .github/workflows/codeql.yml | 33 +++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 2 +- README.md | 5 +++++ SECURITY.md | 17 +++++++++++++++++ 6 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 .coverage create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 SECURITY.md diff --git a/.coverage b/.coverage new file mode 100644 index 0000000000000000000000000000000000000000..7b8937935d17cee1917fdcb215690786ea54cb47 GIT binary patch literal 53248 zcmeI4e{38_6~}jP?{07Jc6VITa2ON3LV#mx`!H!m(uO2XiA2?aTL_3hP_OIr*xqn= zd)eKKZ6LBPjZ}V#R!IC;0sr-%3Ly{@P$VjlS}6jlmHG!rMd@Eqf@-xuRUwy#H?zCG z^RLQhDY6>AtGk=snR##D`^=k}o87zp!h>hMh&ywB&~PK?h%%t4s&dM46h$%UZP7d3 zblS!l~mqsA9Yo<3$wPysd&009sH zfm?<^=Rs314-TrAFGcQ5okxLN<3aps-TV17Q|Hb&=cZ1dJ>$fA&f%g%+xWOMlyGmpDQY-}6Y)_e;B!3S%^DA5D-L_Jqs7rjR*HK0zybA9E`4%? z8of#zyrGP)EBDQjqM9Gf3hQSAw^>`@;h5vDdsy?y&ZQ{!Ht-vj$am^qQ@Yska98SUB`>ESa3EhfY^`8_A@4B0NXNHT@K8S5Taqgr&{R zc4LN+pKmu>qH#zfK5^vlB)OAp;%dWp0nlnW%S~QkwH@ypOzTWs_PFHeF zy3zE<9N`2-z(-2?^05P|LQ%<=!V7i!>Qr^xkuQ&{)cDm&`Y^BDR?y4C!|J0KWS|H< z)fq1e*LRE!L9?E{L+FU|o#RIIl8r$kdQrXZ_;a$$2x%v79E#@NK2u3yxPjkWH58Qb^k(9>6!hQ!5h0dgr zFP|CSDRkCDpgOs}TkH(x_43e=dfAX+l(bfo=o>;PZOLth(X^<+-LM^`1IarLlBq;@ zluY|bQbO*G>-qB3&`$0o^{SJ}PNAb`_42`kYA5ayVq6mM+y*B^PPYqenh17pe#?y( zoUOKtY%+W#moMLQa3{ls3DrsQnZGiSktTmrlk^)j=!>_u!DNxsHTizNJbuxw(`eFi zy@0wbjluB@;E0N|E>(7C{B|VcR~*Xl6mw74-dI8RIAu?@MrC#C-VgX;=+U$)rmgVq zG}jqfa6>T)g(J?4@7KB8jOPZDxG$u0dZ8n2*g7kn?CJ=Yg^u})BhsdHauLJ)IqGz2 z|Dv5n!)?wc^Ocx}W34pyi_R&|6AvOJ=!{UO45^E5(wQnvO2vqk>Yr#46QQ-?&c@wc zG)j-g#Ra}aT|66o+KqVRHMk?HNMmGRExMso3pf=fbE!0ph%IckDpvCuDoMxC*qhN2 z?VVyrG;wuOe2P_aL41|#46Azijyu#&JL$pk;8YFin?S=&eN7HC8zO5{VK>O8X_Tg~ zNWH-&fcG#Ihw&N2h!{8fOpGqAm3%=ej*11o%GMNmVFLjW009sH0T2KI5C8!X009sH z0T8(L2xw|X)y4Wh!(LX{Dt%xB0T2KI5C8!X009sH0T2KI5C8!XcvliIGuk1R{w(C< z1FAMOnEVFdlM|CiChjVdR~hz-!d_u-yel1q(I5Z(JS_Si2^ARe>1_B@e z0w4eaAOHd&00JNY0-FdNVVcsYEcgvxX?nFvz*~M;S@2pdf3EKPtx6cwdJk)LkN)R9 zWoMO+zI!QphKtvvN2*lh4i8AhDT`F(_Mn2EPcY}rlZMkKX)yMnp;{$lqH0xGQR>eM zzSQ!As1hf!AH_Xs=&|9rp(!i7cZ1W@1}gNI^}wrz4_-x;GJT@HVagvwix$dHt{5tu6QAd++)`b5vXG@9^}*gyaTKmY_l00ck) z1V8`;KmY_l00eG90-9zS;{LzQ?o`-+*z4>XyULzsKW9&{Z?O)$$iBkPu~Srt4Fo^{ z1V8`;KmY_l00ck)1V8`;{tpQh?W}6N*UmHspUS+)qWzCr=Z`)9x0N3ntN*=m;~Sa0 zNqM%ZzOO{-Co-2mXr5?2f9+S{$v2<*+3$)!edcP$C{oGorStr?@w_1_7uDMelz!N_ zo_%}tFRS0zzBc`L?VwIsV} zZ~k`e#(^vy9?re^gJJDjZgusI7jINwJ3gRM=7+M^Kc@Zitv^4#_UkIkXN0t-=G3fV z*s8eyZ?hjOY>oYb{hPhY{z_K?{={COD*?Y}zhOUNPf{T^5C8!X009sH0T2KI5C8!X z009sHftyM|to2pfmWgG_#584+DaoW%lu6N$iBXVAL6?axFBPcyoIJ{9Ws=ooqGhsl z0YKjWR|amX3s4RMAOHd&00JNY0w4eaAOHd&00JPe&jiH%f2{xaxe;)B5C8!X009sH z0T2KI5C8!X009uV$ppmz|FQnR$&jHQ1V8`;KmY_l00ck)1V8`;KmY{xnZW-5j9Eo6 literal 0 HcmV?d00001 diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c7527f4 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: pip + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..37f6785 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,33 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + +permissions: + security-events: write + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + strategy: + matrix: + language: [python] + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e7c257d..9faa812 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,4 +29,4 @@ jobs: run: uv run ruff check src/ tests/ - name: Run tests - run: uv run pytest --tb=short -v + run: uv run pytest --tb=short -v --cov=hippofloop --cov-report=term-missing diff --git a/README.md b/README.md index a7b951f..73d0db6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,10 @@ # hippofloop +[![Tests](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml/badge.svg)](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml) +[![CodeQL](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml/badge.svg)](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml) +[![License](https://img.shields.io/github/license/nvandessel/hippofloop)](LICENSE) +[![Python](https://img.shields.io/badge/python-3.11+-blue.svg)](https://python.org) + > [!WARNING] > This project is under active development and not yet ready for production use. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..2485f26 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +|---------|--------------------| +| 0.x | :white_check_mark: | + +## Reporting a Vulnerability + +If you discover a security vulnerability, please report it responsibly: + +1. **Do not** open a public issue +2. Email: Open a [private security advisory](https://github.com/nvandessel/hippofloop/security/advisories/new) on GitHub +3. Include: description, steps to reproduce, and potential impact + +You can expect an initial response within 72 hours. From d6b92f6fd160dfd784a797ae4455b560bf8dc7c0 Mon Sep 17 00:00:00 2001 From: Nic van Dessel <51134175+nvandessel@users.noreply.github.com> Date: Sun, 29 Mar 2026 23:06:30 +0000 Subject: [PATCH 2/4] chore: gitignore .coverage file --- .coverage | Bin 53248 -> 0 bytes .gitignore | 1 + 2 files changed, 1 insertion(+) delete mode 100644 .coverage diff --git a/.coverage b/.coverage deleted file mode 100644 index 7b8937935d17cee1917fdcb215690786ea54cb47..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53248 zcmeI4e{38_6~}jP?{07Jc6VITa2ON3LV#mx`!H!m(uO2XiA2?aTL_3hP_OIr*xqn= zd)eKKZ6LBPjZ}V#R!IC;0sr-%3Ly{@P$VjlS}6jlmHG!rMd@Eqf@-xuRUwy#H?zCG z^RLQhDY6>AtGk=snR##D`^=k}o87zp!h>hMh&ywB&~PK?h%%t4s&dM46h$%UZP7d3 zblS!l~mqsA9Yo<3$wPysd&009sH zfm?<^=Rs314-TrAFGcQ5okxLN<3aps-TV17Q|Hb&=cZ1dJ>$fA&f%g%+xWOMlyGmpDQY-}6Y)_e;B!3S%^DA5D-L_Jqs7rjR*HK0zybA9E`4%? z8of#zyrGP)EBDQjqM9Gf3hQSAw^>`@;h5vDdsy?y&ZQ{!Ht-vj$am^qQ@Yska98SUB`>ESa3EhfY^`8_A@4B0NXNHT@K8S5Taqgr&{R zc4LN+pKmu>qH#zfK5^vlB)OAp;%dWp0nlnW%S~QkwH@ypOzTWs_PFHeF zy3zE<9N`2-z(-2?^05P|LQ%<=!V7i!>Qr^xkuQ&{)cDm&`Y^BDR?y4C!|J0KWS|H< z)fq1e*LRE!L9?E{L+FU|o#RIIl8r$kdQrXZ_;a$$2x%v79E#@NK2u3yxPjkWH58Qb^k(9>6!hQ!5h0dgr zFP|CSDRkCDpgOs}TkH(x_43e=dfAX+l(bfo=o>;PZOLth(X^<+-LM^`1IarLlBq;@ zluY|bQbO*G>-qB3&`$0o^{SJ}PNAb`_42`kYA5ayVq6mM+y*B^PPYqenh17pe#?y( zoUOKtY%+W#moMLQa3{ls3DrsQnZGiSktTmrlk^)j=!>_u!DNxsHTizNJbuxw(`eFi zy@0wbjluB@;E0N|E>(7C{B|VcR~*Xl6mw74-dI8RIAu?@MrC#C-VgX;=+U$)rmgVq zG}jqfa6>T)g(J?4@7KB8jOPZDxG$u0dZ8n2*g7kn?CJ=Yg^u})BhsdHauLJ)IqGz2 z|Dv5n!)?wc^Ocx}W34pyi_R&|6AvOJ=!{UO45^E5(wQnvO2vqk>Yr#46QQ-?&c@wc zG)j-g#Ra}aT|66o+KqVRHMk?HNMmGRExMso3pf=fbE!0ph%IckDpvCuDoMxC*qhN2 z?VVyrG;wuOe2P_aL41|#46Azijyu#&JL$pk;8YFin?S=&eN7HC8zO5{VK>O8X_Tg~ zNWH-&fcG#Ihw&N2h!{8fOpGqAm3%=ej*11o%GMNmVFLjW009sH0T2KI5C8!X009sH z0T8(L2xw|X)y4Wh!(LX{Dt%xB0T2KI5C8!X009sH0T2KI5C8!XcvliIGuk1R{w(C< z1FAMOnEVFdlM|CiChjVdR~hz-!d_u-yel1q(I5Z(JS_Si2^ARe>1_B@e z0w4eaAOHd&00JNY0-FdNVVcsYEcgvxX?nFvz*~M;S@2pdf3EKPtx6cwdJk)LkN)R9 zWoMO+zI!QphKtvvN2*lh4i8AhDT`F(_Mn2EPcY}rlZMkKX)yMnp;{$lqH0xGQR>eM zzSQ!As1hf!AH_Xs=&|9rp(!i7cZ1W@1}gNI^}wrz4_-x;GJT@HVagvwix$dHt{5tu6QAd++)`b5vXG@9^}*gyaTKmY_l00ck) z1V8`;KmY_l00eG90-9zS;{LzQ?o`-+*z4>XyULzsKW9&{Z?O)$$iBkPu~Srt4Fo^{ z1V8`;KmY_l00ck)1V8`;{tpQh?W}6N*UmHspUS+)qWzCr=Z`)9x0N3ntN*=m;~Sa0 zNqM%ZzOO{-Co-2mXr5?2f9+S{$v2<*+3$)!edcP$C{oGorStr?@w_1_7uDMelz!N_ zo_%}tFRS0zzBc`L?VwIsV} zZ~k`e#(^vy9?re^gJJDjZgusI7jINwJ3gRM=7+M^Kc@Zitv^4#_UkIkXN0t-=G3fV z*s8eyZ?hjOY>oYb{hPhY{z_K?{={COD*?Y}zhOUNPf{T^5C8!X009sH0T2KI5C8!X z009sHftyM|to2pfmWgG_#584+DaoW%lu6N$iBXVAL6?axFBPcyoIJ{9Ws=ooqGhsl z0YKjWR|amX3s4RMAOHd&00JNY0w4eaAOHd&00JPe&jiH%f2{xaxe;)B5C8!X009sH z0T2KI5C8!X009uV$ppmz|FQnR$&jHQ1V8`;KmY_l00ck)1V8`;KmY{xnZW-5j9Eo6 diff --git a/.gitignore b/.gitignore index 76f5089..94f5b9b 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ wandb/ # Infisical .infisical.json +.coverage From a3359c36f8a539c2227e2ae9c3166a3b23bd3720 Mon Sep 17 00:00:00 2001 From: Nic van Dessel <51134175+nvandessel@users.noreply.github.com> Date: Sun, 29 Mar 2026 23:32:53 +0000 Subject: [PATCH 3/4] fix: address Greptile review + CodeQL conflict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove custom codeql.yml — repo default setup already handles it - Fix SECURITY.md misleading "Email:" label (Greptile P2) - CodeQL badge points to code scanning page Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 33 --------------------------------- README.md | 2 +- SECURITY.md | 2 +- 3 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 37f6785..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: CodeQL - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - - cron: '0 6 * * 1' # Weekly Monday 6am UTC - -permissions: - security-events: write - contents: read - -jobs: - analyze: - runs-on: ubuntu-latest - strategy: - matrix: - language: [python] - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 diff --git a/README.md b/README.md index 73d0db6..1d7036e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # hippofloop [![Tests](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml/badge.svg)](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml) -[![CodeQL](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml/badge.svg)](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml) +[![CodeQL](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml/badge.svg)](https://github.com/nvandessel/hippofloop/security/code-scanning) [![License](https://img.shields.io/github/license/nvandessel/hippofloop)](LICENSE) [![Python](https://img.shields.io/badge/python-3.11+-blue.svg)](https://python.org) diff --git a/SECURITY.md b/SECURITY.md index 2485f26..26ed3fc 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,7 +11,7 @@ If you discover a security vulnerability, please report it responsibly: 1. **Do not** open a public issue -2. Email: Open a [private security advisory](https://github.com/nvandessel/hippofloop/security/advisories/new) on GitHub +2. Open a [private security advisory](https://github.com/nvandessel/hippofloop/security/advisories/new) on GitHub 3. Include: description, steps to reproduce, and potential impact You can expect an initial response within 72 hours. From 59a7e619a9a5ded2153f666391af3943f5cc19da Mon Sep 17 00:00:00 2001 From: Nic van Dessel <51134175+nvandessel@users.noreply.github.com> Date: Tue, 31 Mar 2026 04:42:15 +0000 Subject: [PATCH 4/4] fix: CodeQL badge URL for default setup workflow (Greptile P1) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d7036e..5fc65ca 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # hippofloop [![Tests](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml/badge.svg)](https://github.com/nvandessel/hippofloop/actions/workflows/test.yml) -[![CodeQL](https://github.com/nvandessel/hippofloop/actions/workflows/codeql.yml/badge.svg)](https://github.com/nvandessel/hippofloop/security/code-scanning) +[![CodeQL](https://github.com/nvandessel/hippofloop/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/nvandessel/hippofloop/security/code-scanning) [![License](https://img.shields.io/github/license/nvandessel/hippofloop)](LICENSE) [![Python](https://img.shields.io/badge/python-3.11+-blue.svg)](https://python.org)