Skip to content

feat: add code quality toolchain (ruff, mypy, pre-commit, dependabot) #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Aureliolo merged 2 commits into from
Feb 27, 2026
Merged

feat: add code quality toolchain (ruff, mypy, pre-commit, dependabot) #63

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3a92a8e
feat: add code quality toolchain (ruff, mypy, pre-commit, dependabot)
Aureliolo Feb 27, 2026
b69ac34
fix: address PR review items from local agents, Copilot, and Gemini
Aureliolo Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
version: 2

updates:
- package-ecosystem: uv
directory: /
schedule:
interval: daily
time: "06:00"
timezone: Etc/UTC
groups:
minor-and-patch:
update-types: [minor, patch]
reviewers:
- Aureliolo
labels:
- type:chore

- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
time: "06:00"
timezone: Etc/UTC
groups:
all:
update-types: [major, minor, patch]

@gemini-code-assist gemini-code-assist Bot Feb 27, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Grouping major updates with minor and patch updates for github-actions can make it difficult to identify and manage breaking changes. It's safer to handle major version bumps in separate PRs. I'd suggest creating a group for just minor and patch updates, which will leave major updates to be handled individually.

For consistency with the uv configuration, you could also add a reviewers block after this groups block.

    groups:
      minor-and-patch:
        update-types: [minor, patch]

labels:
- type:ci
42 changes: 42 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
ci:
autoupdate_schedule: weekly
autofix_prs: true
autofix_commit_msg: "style: auto-fix pre-commit hooks"
autoupdate_commit_msg: "chore: update pre-commit hooks"
skip: [commitizen]

default_install_hook_types: [pre-commit, commit-msg]

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
args: [--unsafe]

Copilot AI Feb 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The check-yaml hook uses the --unsafe flag which allows custom YAML tags. While this may be necessary for certain YAML files in the project, it reduces the security benefits of YAML validation by allowing arbitrary Python object instantiation. Consider removing --unsafe unless there's a specific need for custom YAML tags in the project, or document why this flag is required.

Suggested change
args: [--unsafe]

Copilot uses AI. Check for mistakes.

@gemini-code-assist gemini-code-assist Bot Feb 27, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The "check-yaml" hook is configured with the "--unsafe" flag, which is a critical security vulnerability. This flag causes the hook to use "yaml.load()" instead of "yaml.safe_load()", making it vulnerable to arbitrary code execution if it processes malicious YAML files. This could lead to a compromise of the CI environment. It is strongly recommended to remove this argument to ensure secure YAML parsing.

       - id: check-yaml

- id: check-toml
- id: check-json
- id: check-merge-conflict
- id: check-added-large-files
args: [--maxkb=1024]
- id: no-commit-to-branch
args: [--branch, main]

- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.15.4
hooks:
- id: ruff
args: [--fix]
- id: ruff-format

- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.3
hooks:
- id: gitleaks

- repo: https://github.com/commitizen-tools/commitizen
rev: v4.13.9
hooks:
- id: commitizen
stages: [commit-msg]

Copilot AI Feb 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .pre-commit-config.yaml does not include mypy as a hook, even though issue #52's acceptance criteria mentions "type checking" as one of the hooks to include. Consider adding mypy to the pre-commit hooks to catch type errors before commit. This can be done by adding a hook entry like:

- repo: https://github.com/pre-commit/mirrors-mypy
  rev: v1.19.1
  hooks:
    - id: mypy
      additional_dependencies: [pydantic]

If the omission is intentional (e.g., because mypy is slow or should only run in CI), this should be documented.

Suggested change
stages: [commit-msg]
stages: [commit-msg]
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.19.1
hooks:
- id: mypy
additional_dependencies: [pydantic]

Copilot uses AI. Check for mistakes.
118 changes: 118 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,121 @@ path = "src/ai_company/__init__.py"

[tool.hatch.build.targets.wheel]
packages = ["src/ai_company"]

[dependency-groups]
dev = [
"commitizen>=4.13.9",
"mypy>=1.19.1",
"pre-commit>=4.5.1",
"pre-commit-uv>=4.2.1",
"pydantic>=2.12.5",
"ruff>=0.15.4",
]
Comment on lines +27 to +35

Copilot AI Feb 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pydantic 2.12.5 is listed only in dev dependencies, but the mypy configuration uses the pydantic plugin suggesting it will be used in production code. According to the stored project memories, the project will use "Pydantic validation for company structure, agents, and settings" (from configuration format memory). Consider moving pydantic to the main dependencies list in pyproject.toml if it will be used in production code, not just for development/type-checking purposes.

Copilot uses AI. Check for mistakes.

# ---------------------------------------------------------------------------
# Ruff — linter + formatter (replaces flake8, isort, pyupgrade, etc.)
# ---------------------------------------------------------------------------
[tool.ruff]
target-version = "py314"
line-length = 88
src = ["src", "tests"]

[tool.ruff.lint]
select = [
"F", # pyflakes
"E", "W", # pycodestyle
"C90", # mccabe complexity
"I", # isort
"N", # pep8-naming
"UP", # pyupgrade
"B", # flake8-bugbear
"A", # flake8-builtins
"C4", # flake8-comprehensions
"DTZ", # flake8-datetimez
"T10", # flake8-debugger
"EM", # flake8-errmsg
"ISC", # flake8-implicit-str-concat
"ICN", # flake8-import-conventions
"LOG", # flake8-logging
"PIE", # flake8-pie
"T20", # flake8-print
"PT", # flake8-pytest-style
"Q", # flake8-quotes
"RSE", # flake8-raise
"RET", # flake8-return
"SLF", # flake8-self
"SIM", # flake8-simplify
"TID", # flake8-tidy-imports
"TCH", # flake8-type-checking
"ARG", # flake8-unused-arguments
"PTH", # flake8-use-pathlib
"PERF", # perflint
"FURB", # refurb
"RUF", # ruff-specific rules
"S", # flake8-bandit (security)
"FAST", # fastapi
"ASYNC", # flake8-async
"FBT", # flake8-boolean-trap
"PL", # pylint
"TRY", # tryceratops
"FLY", # flynt
"D", # pydocstyle
]
ignore = [
"D100", # missing docstring in public module
"D104", # missing docstring in public package
"D107", # missing docstring in __init__
"ISC001", # conflicts with ruff formatter
]

[tool.ruff.lint.pydocstyle]
convention = "google"

[tool.ruff.lint.per-file-ignores]
"tests/**/*.py" = [
"S101", # assert allowed in tests
"ARG", # unused arguments (fixtures)
"FBT", # boolean trap (parametrize)
"D", # no docstrings required in tests
"PLR2004", # magic values in tests
"SLF001", # private member access in tests
]
"__init__.py" = ["D104"]

[tool.ruff.lint.isort]
known-first-party = ["ai_company"]

[tool.ruff.format]
docstring-code-format = true

# ---------------------------------------------------------------------------
# mypy — static type checker (strict mode)
# ---------------------------------------------------------------------------
[tool.mypy]
python_version = "3.14"
strict = true
warn_return_any = true
warn_unused_configs = true
plugins = ["pydantic.mypy"]

[[tool.mypy.overrides]]
module = "tests.*"
disallow_untyped_defs = false

# ---------------------------------------------------------------------------
# pyright — IDE type checking only (not used in CI)
# ---------------------------------------------------------------------------
[tool.pyright]
pythonVersion = "3.14"
typeCheckingMode = "basic"
venvPath = "."
venv = ".venv"

# ---------------------------------------------------------------------------
# commitizen — conventional commits
# ---------------------------------------------------------------------------
[tool.commitizen]
name = "cz_conventional_commits"
version = "0.1.0"
version_files = ["src/ai_company/__init__.py:__version__"]
tag_format = "v$version"
Loading