[CI] Python 3.14#955
Conversation
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughPins Python to 3.14 in ChangesPython 3.14 support and uv locked CI
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)
8-39: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winSet explicit least-privilege
permissionsfor this workflow.The workflow still relies on repository-default
GITHUB_TOKENscopes. For lint/test/smoke jobs that only read the repo, add an explicitpermissions:block (at leastcontents: read) so this PR stays compliant with the ruleset and does not inherit broader token access than necessary.Also applies to: 41-136
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 8 - 39, The workflow job currently inherits the default GITHUB_TOKEN scopes instead of declaring least-privilege access. Update the workflow definition to add an explicit permissions block for the lint job (and the other affected jobs in this workflow), using at minimum contents: read since these steps only need repository read access. Place the permissions near the job definitions so they are easy to find alongside linting and documentation build steps.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 22-25: The CI workflow still uses mutable action tags, so update
every occurrence of actions/checkout@v6, actions/setup-python@v6, and
astral-sh/setup-uv@v5 in the workflow jobs to fixed commit SHA references
instead. Keep the same job setup and options, but replace the version tags in
the action declarations with pinned SHAs so the workflow cannot drift upstream.
In `@doc/index.rst`:
- Around line 48-50: Update the venv setup instructions to use the documented
interpreter explicitly instead of a generic python command. In the setup example
near the installation steps, replace the venv invocation with an
interpreter-specific command or a uv venv command, and keep the surrounding text
in sync with the preferred version referenced from .python-version so users
actually create the environment with the intended Python version.
---
Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 8-39: The workflow job currently inherits the default GITHUB_TOKEN
scopes instead of declaring least-privilege access. Update the workflow
definition to add an explicit permissions block for the lint job (and the other
affected jobs in this workflow), using at minimum contents: read since these
steps only need repository read access. Place the permissions near the job
definitions so they are easy to find alongside linting and documentation build
steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: e49ef3c2-7ea3-4b6f-a490-c60ba0f8c44d
📒 Files selected for processing (4)
.github/workflows/ci.yml.python-versiondoc/index.rstpyproject.toml
Summary
Test Plan
Additional Notes