Skip to content

Refactor workflows for dependency management and update documentation#107

Open
GabrielBG0 wants to merge 6 commits into
discovery-unicamp:mainfrom
GabrielBG0:new-docs
Open

Refactor workflows for dependency management and update documentation#107
GabrielBG0 wants to merge 6 commits into
discovery-unicamp:mainfrom
GabrielBG0:new-docs

Conversation

@GabrielBG0
Copy link
Copy Markdown
Collaborator

@GabrielBG0 GabrielBG0 commented May 17, 2026
edited by coderabbitai Bot
Loading

Describe your changes

Migrate all CI workflows from pip to uv, harden them against supply chain attacks by pinning actions to immutable commit SHAs, and migrate PyPI publishing to OIDC Trusted Publishing.

CI tooling migration (pip → uv):

  • All four workflows (auto-format, continuous-testing, docs, release_to_pypi) now use astral-sh/setup-uv instead of actions/setup-python + pip. Python invocations are replaced with uvx / uv run / uv sync --extra <group>.
  • Added uv.lock to the repository.

Supply chain hardening (Mini Shai-Hulud response):

  • All GitHub Actions pinned to full 40-character commit SHAs with a trailing # vX.Y.Z comment for readability. No mutable version tags (@v4, @v5, etc.) remain.
  • peaceiris/actions-gh-pages upgraded from v3 → v4.1.0 (SHA-pinned) in the docs workflow.
  • Explicit permissions scopes added to each workflow/job — no workflow relies on the default broad token permissions.

PyPI Trusted Publishing (OIDC — no stored token):

  • release_to_pypi.yml migrated from uv publish + PYPI_API_TOKEN_MINERVA secret to pypa/gh-action-pypi-publish with id-token: write. No API token is stored or used.
  • Release job linked to the new pypi protected GitHub environment (requires reviewer approval before publishing).

Docs fixes:

  • Fixed duplicate/incorrect html_theme assignment in docs/conf.py.
  • Switched Sphinx theme to Furo (html_theme = "furo") for improved documentation styling.
  • Updated docs/installation.md and README.md to reflect uv-based setup instructions.

Issue ticket number and link (If apply)

N/A

Checklist before requesting a review

  • I have performed a self-review of my code.
  • I have added tests to this functionality.
  • All tests are passing.
  • I have updated the documentation as needed.
  • I have followed the project's coding guidelines.

Summary by CodeRabbit

  • New Features

    • Minerva is now available on PyPI for production installation.

  • Documentation

    • Updated installation and setup instructions to reflect PyPI availability.
    • Installation guide now includes modern tooling support options.
    • Updated contributor documentation and guidelines.
    • Documentation theme refreshed for improved visual design.

Review Change Stack

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 17, 2026
edited
Loading

Warning

Rate limit exceeded

@GabrielBG0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b3294818-4216-4d20-a8ad-212bf093f5e9

📥 Commits

Reviewing files that changed from the base of the PR and between da9532e and 683c6d6.

📒 Files selected for processing (3)
  • .github/workflows/auto-format.yml
  • .github/workflows/continuous-testing.yml
  • docs/conf.py
📝 Walkthrough

Walkthrough

This PR standardizes the Minerva project's build and development tooling on uv, a modern Python package manager. Four GitHub Actions workflows are updated to use pinned action versions and uv-based tool execution. User and contributor documentation are rewritten to reflect the new workflow. The Sphinx theme switches from sphinx_rtd_theme to furo with corresponding dependency updates.

Changes

uv Toolchain Standardization

Layer / File(s) Summary
Auto-format workflow migration to uv
.github/workflows/auto-format.yml		 Auto-format workflow now uses pinned action SHAs and executes Black through uvx instead of pip-installed system Black.
Continuous testing workflow migration to uv
.github/workflows/continuous-testing.yml		 CI workflow switches from setup-python/pip to setup-uv/uv sync for dependency install and routes Black formatting checks, pytest with coverage, and interrogate docstring coverage through uv run.
Documentation build workflow migration to uv
.github/workflows/docs.yaml		 Docs workflow adds explicit permissions, replaces setup-python/pip with setup-uv/uv sync for dependency install, and pins the gh-pages deployment action to a fixed commit.
Release to PyPI workflow modernization
.github/workflows/release_to_pypi.yml		 Release workflow adds explicit permissions including id-token: write for OIDC, targets pypi environment, and replaces pip/twine upload with uv build and pypa/gh-action-pypi-publish.
Documentation theme migration and furo dependency
docs/conf.py, pyproject.toml		 Sphinx conf.py removes sphinx_rtd_theme extension, switches html_theme to "furo", and pyproject.toml adds furo to docs extras.
User installation and testing documentation
README.md, docs/installation.md		 README and installation guide rewritten to announce PyPI availability, recommend uv for both production and development installs, and provide uv run equivalents for local testing and coverage.
Contributor guidelines update
CONTRIBUTING.md		 Contributing guidelines updated to direct developers to install dev dependencies via uv sync and run tests via uv run, with dependency guidance pointing to pyproject.toml.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main changes: refactoring workflows for dependency management (pip → uv) and updating documentation to match the new tooling.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The pull request description is comprehensive and well-structured, covering all major changes, objectives, and justifications with clear organization into logical sections.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@GabrielBG0 GabrielBG0 requested a review from otavioon May 17, 2026 17:30
coderabbitai[bot]
coderabbitai Bot requested changes May 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/docs.yaml (1)

29-36: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the docs build through uv run to ensure dependencies are available.

The workflow installs docs dependencies via uv sync --extra docs, but then runs make html in a plain shell without activating that environment. The Sphinx build tool (sphinx-build) is a Python dependency installed by uv sync, and without uv run, it may not be available on the PATH. Per uv's documentation, commands that depend on the synced environment should be executed through uv run.

Suggested change 
-    - name: Build docs
-      run: |
-        cd docs
-        make clean
-        make html
+    - name: Build docs
+      run: uv run -- make -C docs clean html
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yaml around lines 29 - 36, The docs build step runs
"make html" outside the uv-managed environment, so sphinx may not be on PATH;
modify the "Build docs" step to execute the make commands through uv (e.g., use
"uv run -- make -C docs clean html" or "uv run -- sh -c 'cd docs && make clean
&& make html'") so the Sphinx dependency installed by the "Install project with
docs dependencies" (uv sync --extra docs) is available; update the "Build docs"
step to call uv run instead of a plain shell invocation.
🧹 Nitpick comments (1)
.github/workflows/continuous-testing.yml (1)

42-42: ⚡ Quick win

Use frozen sync in CI for lockfile enforcement.

Line 42 should use --frozen so CI doesn’t silently re-resolve dependencies.

Suggested change 
-        run: uv sync --extra dev
+        run: uv sync --extra dev --frozen
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-testing.yml at line 42, Replace the existing CI
sync invocation to enforce lockfile usage: update the command that currently
runs "uv sync --extra dev" to include the --frozen flag (e.g., change the
invocation in the workflow step that runs the uv sync command to use --frozen so
CI fails if the lockfile would be changed).
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-format.yml:
- Around line 28-38: Replace the direct invocation "uvx black minerva tests" in
the "Run black formatter" step with a lockfile-backed invocation so CI uses the
pinned Black from the repo lockfile (project dev deps in pyproject.toml);
specifically change the command run by the "Run black formatter" step (currently
using "uvx black minerva tests") to call uvx with the lockfile (e.g. "uvx run
--lockfile=<lockfile> black minerva tests") so the workflow consistently uses
the pinned Black (26.5.0) rather than the latest PyPI release.

In @.github/workflows/continuous-testing.yml:
- Around line 35-36: The workflow still references the mutable tag "uses:
astral-sh/setup-uv@v5"; replace that with a pinned full commit SHA (e.g., "uses:
astral-sh/setup-uv@<COMMIT_SHA>") to match the hardening applied
elsewhere—locate the "uses: astral-sh/setup-uv@v5" entry in the workflow and
update it to the exact commit SHA, ensuring any other occurrences are similarly
pinned and that the chosen SHA is verified for compatibility.

In `@docs/conf.py`:
- Line 65: The line concatenates two assignments into invalid Python; split the
single line into two separate assignments so htmlhelp_basename = "minerva_docs"
and source_encoding = "utf-8" are on their own lines (locate the assignments by
the symbols htmlhelp_basename and source_encoding in conf.py and place a line
break between them).

---

Outside diff comments:
In @.github/workflows/docs.yaml:
- Around line 29-36: The docs build step runs "make html" outside the uv-managed
environment, so sphinx may not be on PATH; modify the "Build docs" step to
execute the make commands through uv (e.g., use "uv run -- make -C docs clean
html" or "uv run -- sh -c 'cd docs && make clean && make html'") so the Sphinx
dependency installed by the "Install project with docs dependencies" (uv sync
--extra docs) is available; update the "Build docs" step to call uv run instead
of a plain shell invocation.

---

Nitpick comments:
In @.github/workflows/continuous-testing.yml:
- Line 42: Replace the existing CI sync invocation to enforce lockfile usage:
update the command that currently runs "uv sync --extra dev" to include the
--frozen flag (e.g., change the invocation in the workflow step that runs the uv
sync command to use --frozen so CI fails if the lockfile would be changed).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 05bb1165-74a3-461f-b4b3-8eb34ac185ad

📥 Commits

Reviewing files that changed from the base of the PR and between 7df0485 and da9532e.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • .github/workflows/auto-format.yml
  • .github/workflows/continuous-testing.yml
  • .github/workflows/docs.yaml
  • .github/workflows/release_to_pypi.yml
  • CONTRIBUTING.md
  • README.md
  • docs/conf.py
  • docs/installation.md
  • pyproject.toml

Comment thread .github/workflows/auto-format.yml Outdated
Comment thread .github/workflows/continuous-testing.yml Outdated
Comment thread docs/conf.py Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

@otavioon otavioon Awaiting requested review from otavioon

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GabrielBG0