feat(precommit): mandate pyright + pytest python standard, fix trailing-whitespace id#49
Merged
Merged
Conversation
…ng-whitespace id Org-wide Python pre-commit standard (decided 2026-06-23). `templates/python.yaml` now defines ruff + ruff-format + pyright (commit) + pytest (pre-push); pyright replaces mypy as the single mandated type checker. pyright/pytest run from the project venv so pyproject dev-deps are the version authority — no rev pin drift. Astral `ty` is a commented opt-in (beta <1.0 as of 2026-06). Also fixes a latent bug across ALL templates: the pre-commit-hooks id is `trailing-whitespace`, not `trim-trailing-whitespace` (that string is the Nix git-hooks.nix attr name and errors for every non-Nix consumer). Fixed in base, python, terraform, ansible. - Bump stale pins: zizmor v1.25.2 -> v1.26.1, ruff-pre-commit v0.8.6 -> v0.15.18. - `ruff` lint hook id -> `ruff-check` (bare `ruff` is now a legacy alias). - zizmor.yml: add astral-sh/* as a trusted ref-pin publisher (uv/ruff/ty/setup-uv are the mandated toolchain). - KEEP IN SYNC banner ties python.yaml to nix-devenv/profiles/python.nix. - README: python template line/table updated mypy -> pyright + pytest. Reference adopter proven green in VisiCore/vct-splunk-cli#38. nix-devenv profile PR follows. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_01WfUaGNSoryQJduufUVWdnt
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pre-commit templates, notably replacing mypy with pyright and pytest in the Python template, updating ruff and zizmor versions, and correcting the trailing whitespace hook ID across templates. Feedback focuses on improving cross-platform compatibility by using uv run instead of hardcoded .venv/bin/ paths for the local Python hooks, updating the documentation accordingly, and ensuring consistency by upgrading the zizmor hook version in the remaining Ansible and Terraform templates.
…mers) Centralizes the Python lint/format/type/test gate so consumer repos carry NO `run:` and NO copied lint config. Consumers call this via `_ci-gate.yml`'s new `python_ci` toggle (gated on the `python` paths-filter) or directly. _python-ci.yml: - gate job: `uv run --extra dev pre-commit run --all-files` (the one place the uv install lives; setup-uv alone can't install a project) + zizmor run CENTRALLY against this repo's canonical zizmor.yml, sparse-fetched at runtime so the policy is never copied into the consumer. - test job: pytest across a configurable Python matrix. - Every config value is a `workflow_call` input with a default (python_versions, gate_python_version, zizmor_version, central_config_repo, runner_label) — no hard-coded values. zizmor_version is passed via env into the run step. - Trusted actions pinned by version tag (checkout v7.0.0, setup-uv v8.2.0). _ci-gate.yml: add `python_ci` + `python_ci_versions` inputs, a `Python CI` job, and wire it into the Merge Gate `needs:` + `allowed-skips`. Validated with actionlint (clean). KEEP IN SYNC with nix-devenv python profile and precommit/templates/python.yaml. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_01WfUaGNSoryQJduufUVWdnt
Consistency with base.yaml/python.yaml (gemini-code-assist review). All four templates now pin the same current zizmor. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_01WfUaGNSoryQJduufUVWdnt
The shared reusable-workflow default should exercise every currently non-EOL Python (3.10–3.14 as of 2026-06; 3.9 EOL'd 2025-10). Individual consumers narrow it to e.g. min + latest by passing python_ci_versions / python_versions. Previously the shared default itself was narrowed to 3.10 + 3.14, which under-tested every other consumer. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_01WfUaGNSoryQJduufUVWdnt
Per org policy, trusted actions pin to the major-moving tag, not vX.Y.Z. checkout -> @v7. setup-uv stays @v8.2.0 with a TODO: Astral has not yet published a moving @v8 tag (only v8.x.x full tags exist), so v8.2.0 is the latest available; switch to @v8 when it lands. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_01WfUaGNSoryQJduufUVWdnt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Org-wide Python pre-commit standard, decided 2026-06-23 (panel: live web research + Codex;
tyevaluated and deferred). Proven green first in the reference adopter VisiCore/vct-splunk-cli#38.templates/python.yaml.venv/binviarepo: local, sopyproject.tomldev-deps are the single version authority — norev:pin to drift.tyadded as a commented opt-in (still beta <1.0 as of June 2026; promote only at 1.0 GA).Latent bug fixed across ALL templates
The pre-commit-hooks id is
trailing-whitespace— the templates usedtrim-trailing-whitespace, which is the Nixgit-hooks.nixattr name and errors for every non-Nix consumer. Fixed inbase,python,terraform,ansible.Version refresh (all to current latest, June 2026)
v1.25.2→v1.26.1, ruff-pre-commitv0.8.6→v0.15.18.rufflint hook id →ruff-check(ruffis now a legacy alias).zizmor.ymlastral-sh/*: ref-pin— uv/ruff/ty/setup-uv are the mandated toolchain, trusted to pin by version tag likeactions/*.DRY
python.yamlcarries a KEEP IN SYNC banner tying it tonix-devenv/flake-modules/profiles/python.nix(the Nix expression of the same hook set). A generator is the real fix — follow-up.Validation
All four templates pass
pre-commit validate-config.🤖 Generated with Claude Code