chore: repository hygiene, metadata accuracy, and CI least-privilege pass#143
Conversation
- remove committed AI-assistant working artifacts (.superpowers/, docs/superpowers/ published to the docs site) and git-ignore them - remove dead MANIFEST.in (hatchling ignores it; sdist verified byte-identical without it) - remove the never-executed nested freshdata-benchmarks/.github workflow and correct that README's CI-execution/published-results claims - anchor hatchling sdist include patterns to the repo root so the sdist ships exactly the documented file set - declare least-privilege GITHUB_TOKEN permissions in every workflow - align contributor docs (CONTRIBUTING.md, README.md, QUALITY_OPS.md, docs/contributing.md) with the exact commands CI runs; drop the unenforced ruff-format pre-commit hook and document why - update SECURITY.md supported-versions table to 1.1.x - merge duplicate Unreleased headings in CHANGELOG.md and record this pass - add CITATION.cff and a documentation issue template
|
Strix is installed on this repository, but we couldn't run this PR security review because this workspace's trial has ended. Add a card to resume code reviews here. |
📝 WalkthroughWalkthroughThe PR adds read-only permissions to GitHub Actions workflows, aligns contributor checks with CI, updates packaging and release metadata, adds citation and documentation issue templates, revises benchmark and repository documentation, and removes obsolete planning and report artifacts. ChangesCI and contributor workflow
Release and packaging metadata
Repository documentation and hygiene
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/performance-investigation.md`:
- Around line 440-444: The documentation summary conflates final-build warnings
with warnings from the earlier pre-cleanup run. Update the passages at
docs/performance-investigation.md lines 440-444 and 462-464 to attribute the
un-navigated planning-page warnings only to the earlier verification run, or
remove that stale attribution from the final-gate summary; preserve the separate
Material-for-MkDocs notice as appropriate.
In `@pyproject.toml`:
- Around line 247-250: Add "/CITATION.cff" to the explicitly anchored include
array in the pyproject.toml build configuration so Hatchling includes the
citation metadata in the source distribution.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 5610039f-883b-4d49-acb8-52e1c99fa4ed
📒 Files selected for processing (31)
.github/ISSUE_TEMPLATE/documentation.md.github/workflows/ci.yml.github/workflows/fetch-fixtures.yml.github/workflows/nightly-real-model.yml.github/workflows/plugin-contract.yml.github/workflows/reproducibility.yml.github/workflows/wheel-size.yml.gitignore.pre-commit-config.yaml.superpowers/sdd/task-4-report.md.superpowers/sdd/task-5-report.md.superpowers/sdd/task-6-report.mdCHANGELOG.mdCITATION.cffCONTRIBUTING.mdMANIFEST.inQUALITY_OPS.mdREADME.mdRELEASE.mdSECURITY.mddocs/contributing.mddocs/performance-investigation.mddocs/superpowers/plans/2026-07-11-freshdata-performance-baseline-profiling.mddocs/superpowers/plans/2026-07-13-freshdata-semantic-performance-optimization.mddocs/superpowers/plans/2026-07-14-freshdata-truthbench.mddocs/superpowers/specs/2026-07-11-freshdata-confirmed-performance-bottlenecks-design.mddocs/superpowers/specs/2026-07-11-freshdata-performance-scalability-design.mddocs/superpowers/specs/2026-07-14-freshdata-truthbench-design.mdfreshdata-benchmarks/.github/workflows/benchmark.ymlfreshdata-benchmarks/README.mdpyproject.toml
💤 Files with no reviewable changes (11)
- docs/superpowers/plans/2026-07-11-freshdata-performance-baseline-profiling.md
- docs/superpowers/specs/2026-07-11-freshdata-performance-scalability-design.md
- docs/superpowers/specs/2026-07-11-freshdata-confirmed-performance-bottlenecks-design.md
- MANIFEST.in
- docs/superpowers/specs/2026-07-14-freshdata-truthbench-design.md
- .superpowers/sdd/task-4-report.md
- .superpowers/sdd/task-5-report.md
- freshdata-benchmarks/.github/workflows/benchmark.yml
- docs/superpowers/plans/2026-07-13-freshdata-semantic-performance-optimization.md
- docs/superpowers/plans/2026-07-14-freshdata-truthbench.md
- .superpowers/sdd/task-6-report.md
Repository hygiene and metadata-accuracy pass. No runtime behavior changes.
What changed
Removed dead / accidental content
.superpowers/task reports anddocs/superpowers/internal planning notes (the latter were being published, unlinked, on the docs site)..superpowers/is now git-ignored.MANIFEST.in— the hatchling build backend never reads it; the sdist was verified byte-identical with and without it.freshdata-benchmarks/.github/workflows/— nested workflow directories are never executed by GitHub Actions.Packaging fix
includepatterns are now anchored to the repo root. Unanchored patterns match at any depth, so bare"examples"/"README.md"were shippingdocs/examples/*.htmland nested READMEs. The sdist now contains exactly the documented file set (809 → 796 files); the wheel is unchanged.CI hardening
GITHUB_TOKENpermissions (read-only by default; the nightly-alert and coverage-badge jobs keep their scoped write grants). Verified none of the newly restricted workflows performs writes.Truthfulness / docs accuracy
freshdata-benchmarks/README.mdclaimed weekly CI execution, gh-pages publishing, and three CI jobs — none of which existed (they lived in the dead nested workflow). It now documents the ASV suite as a locally-run comparative benchmark, separate from the CleanBench CI workflow, and drops the two misleading badges.SECURITY.mdsupported-versions table updated 1.0.x → 1.1.x.CONTRIBUTING.md,README.md,QUALITY_OPS.md, anddocs/contributing.mdnow quote the exact commands CI runs (pytest -m "not online and not large",ruff check .) instead of barepytest(needs network) andruff check src tests.ruff-formathook: the tree is not format-clean (322/587 files) and CI never enforced formatting, so the hook only injected unrelated hunks into contributor diffs. The config comment now documents this deliberately.CHANGELOG.md: merged the duplicate### Addedheadings inUnreleased(merge artifact) and restored keep-a-changelog section order.Added
CITATION.cff(enables GitHub's "Cite this repository"; facts only, no version pin to go stale).Validation
pytest -m "not online and not large": pass, 93.7% coverage (gate 93%), re-run after all editsruff check .,mypy src/freshdata(with the CInumpy<2.5pin): cleanmkdocs build --strict: passpython -m build+twine check dist/*: PASSED; sdist A/B-diffed against pre-change buildfd.clean(...),freshdata --help, andfreshdata clean file.csvall workpre-commit validate-configand YAML parse of all workflows: passNotes for review
__version__) on purpose — the release workflow cross-checks both and fails closed; that duality is an enforced gate.ruff formatwas applied: it would touch 322 files and conflict with every open PR. Adopting formatting is left as a separate decision.Summary by CodeRabbit
Documentation
Security
Packaging
Changelog