chore(template): fix placeholders, downgrade python-version, drop redundant safety#58
Merged
Conversation
The lint, type-check, security, and docs jobs in ci.yml were pinned to Python 3.14 (unreleased at time of original edit, and an outlier vs the test matrix which covers 3.11/3.12/3.13). The step names also said 'Set up Python 3.12' while the version was actually 3.14, compounding the confusion. Pin to 3.13 (latest stable, top of the test matrix) and drop the version from the step name so future bumps don't desync the label.
pip-audit is the PyPA-maintained advisory scanner pulling from the same PyPI advisory database (osv.dev). safety is the legacy duplicate from Pyup and carries its own transitive vulnerabilities (joblib, nltk) that have been blocking CI on all PRs. The CI workflow already only invokes pip-audit; safety was installed via the [dev] extra but never run. Removing it eliminates the false-positive vuln chain in transitive deps and shrinks the dev install. Refs #56.
The pyproject.toml placeholders ('hello-world', 'Your Name',
'your.email@example.com') looked like committed defaults rather than
intentional template tokens. Forks could ship without realizing they
needed to change them.
Replace with explicit REPLACE_ME tokens, add a header comment pointing
at TEMPLATE.md, and add the checklist itself covering project rename,
package rename, README badges, and CI slug updates.
Also flag the ruff isort known-first-party list — it still references
hello_world and needs to match the renamed package.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a template instantiation checklist in TEMPLATE.md and updates pyproject.toml with placeholders to guide users after forking the repository. Additionally, the safety dependency has been removed from the development requirements. Feedback suggests enhancing the checklist to include instructions for updating package-level metadata in the package's init.py file.
Address gemini-code-assist review: the rename step renamed the package directory and import paths, but the package-level metadata (__author__, __email__, __version__) in src/<pkg>/__init__.py was left unmentioned. Those values are hardcoded to the template author and need to be replaced by every fork. Restructure step 2 as a bulleted list so the metadata reminder lives at the same level as the import update.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent template-hygiene fixes surfaced by the 2026-05-22 workspace sweep.
1.
python-versiondesync inci.ymlThe
lint,type-check,security, anddocsjobs were pinned to Python3.14while their step names still said "Set up Python 3.12" — a stale label from a prior bump that never propagated to the version field. The test matrix (tests.yml) tops out at3.13, so the single-version jobs were running on a Python release ahead of what the tests cover.Pin to
3.13(latest stable, top of the test matrix) and drop the version number from the step name so future bumps don't desync the label again.2. Redundant security tooling
Both
safetyandpip-auditwere installed via[project.optional-dependencies] dev, but the CI workflow only runspip-audit.safetyis the legacy duplicate from Pyup;pip-auditis the PyPA-maintained advisory scanner backed by the same osv.dev database.Worse:
safetycarries its own transitive vulns (joblib,nltk) that have been blocking CI on every PR (#56, #57). Droppingsafetyeliminates the false-positive chain entirely.3. Placeholder identity in
pyproject.tomlname = "hello-world",authors = [{name = "Your Name", email = "your.email@example.com"}], and the ruffknown-first-party = ["hello_world"]were committed defaults that looked indistinguishable from real values. Forks could ship without realizing they needed to change them.Switch to explicit
REPLACE_ME-project-name/REPLACE_ME Authortokens, add aTEMPLATE: ...header comment inpyproject.toml, and addTEMPLATE.mdwith the full fork-and-edit checklist (project rename, package rename, README badges, CI slug updates, removal of the checklist itself).Closes / refs
safetydrop) is the issue's suggested fix Feature: Update pre-commit hooks and dependencies #1 and supersedes fix(ci): ignore disputed joblib + nltk advisories in pip-audit #57's "ignore disputed advisories" workaround.Test plan
actionlint .github/workflows/*.yml— cleanpython3 -c "import tomllib; tomllib.load(open('pyproject.toml','rb'))"— parses--no-verify)--ignore-vulnworkaroundsci.ymljobs run on Python3.13