Configuration and automation¶
Authoritative checks¶
Run the complete local validation suite with:
make check
It verifies the lockfile, Ruff, Markdown, Dockerfiles, GitHub Actions workflows, repository workflow environment references, spelling, secret scanning, Bandit, deptry, pip-audit, tests and coverage, minimum direct dependency versions, basedpyright, documentation links, distribution metadata, and SBOM generation.
Dependency groups¶
Python development dependencies are organized into focused dependency groups:
test, lint, type, docs, security, release, and automation. The
aggregate dev group includes all of them and remains the default local
development environment used by make install, CI, nox, and the devcontainer.
Use focused groups only when you intentionally need a smaller environment, for example:
uv sync --locked --only-group docs
uv sync --locked --only-group security
Documentation¶
Build the documentation site with:
make docs
Check links in the built site with:
make docs-linkcheck
make docs-linkcheck runs mkdocs build --strict and then checks the generated
site with LinkChecker. API pages under reference/api/ are generated from
package docstrings during the build.
MkDocs is configured to treat documentation warnings as failures. Navigation
entries, local links, anchors, and generated API reference pages must stay in
sync with the source tree. The local development server also watches
src/benchmatrix/ so docstring changes can refresh generated reference pages.
Spelling checks include regular repository files and hidden GitHub configuration
under .github/, so issue templates, workflow names, and pull request template
text stay covered by the same make spellcheck target.
Repository settings¶
Repository settings that can be managed as code are declared in .github/settings.yml.
The file is intended for the GitHub Settings app and covers repository metadata,
merge strategy defaults, vulnerability alert settings, and main branch
protection. External setup that still requires a service UI is tracked in the
external repository setup runbook.
GitHub Actions workflows¶
The repository uses focused workflows that call the same Make targets used locally:
.github/workflows/ci.ymlruns quality checks, supported-Python tests, coverage and JUnit report artifact upload, minimum-dependency tests, packaging smoke checks, SBOM generation, and scheduled dependency audits..github/workflows/docs.ymlbuilds docs, checks generated-site links, uploads the link-check report, and deploys the MkDocs site frommainthrough GitHub Pages..github/workflows/draft-release.ymlvalidates release metadata when av*tag is pushed, extracts release notes fromCHANGELOG.md, builds and verifies release assets, and creates or updates the draft GitHub Release with the package source distribution, wheel, and SBOM attached; it also supports manual dispatch for retrying an existing tag..github/workflows/release.ymlbuilds release artifacts, uploads package distributions and the SBOM as separate Actions artifacts, attaches them to the GitHub Release, attests them, publishes the distributions to PyPI through Trusted Publishing, and verifies installation from PyPI after publication..github/workflows/release-verify.ymlmanually re-runs post-release installation verification from PyPI..github/workflows/docker.ymlbuilds runtime and test Docker images, scans them for critical vulnerabilities, and publishes them to GHCR frommainandv*tags..github/workflows/workflow-lint.ymlruns actionlint and zizmor for workflow configuration changes, using.github/zizmor.ymlfor project-specific audit policy..github/workflows/labeler.ymlapplies pull request labels from.github/labeler.ymlwithout checking out untrusted pull request code..github/workflows/codeql.yml,.github/workflows/dependency-review.yml, and.github/workflows/scorecard.ymlprovide GitHub-native security and supply-chain checks.
Standalone SBOM and artifact-attestation workflows are intentionally not added:
make build, CI packaging, and the release workflow already generate SBOMs and
release provenance without an extra scheduler. Release drafting is limited to a
small tag-triggered workflow so the deployment action remains publishing the
reviewed GitHub Release.
Pull request labels¶
Pull request labels are applied automatically by GitHub Actions:
.github/labeler.ymlmaps changed files and branch names to labels..github/workflows/labeler.ymlrunsactions/labeleron pull requests..github/labels.ymldocuments the repository's recommended label set for maintainers.
Labels are not synced automatically. Create or update labels manually in GitHub when the recommended label set changes.
Dependabot¶
Dependency version update automation is configured in .github/dependabot.yml.
It runs weekly, uses conservative pull request limits, and covers the ecosystems
that have manifests in this repository:
uvforpyproject.tomlanduv.lock;npmfor Markdown and spelling tooling inpackage.json;pre-commitfor hook revisions in.pre-commit-config.yaml;github-actionsfor workflow actions under.github/workflows/;dockerfor the runtime Docker image and devcontainer base images;devcontainersfor devcontainer features.
Dependabot pull requests should be labeled with dependencies and
maintenance, plus a more specific label such as github-actions,
automation, or dev-environment where applicable.
Multi-version automation¶
Run tests against the minimum direct dependency set on the oldest supported Python version with:
make test-min-deps
Run the nox matrix with:
make test-matrix
Useful focused sessions:
uv run nox -s tests-3.11
uv run nox --tags quality
uv run nox --tags docs
uv run nox -s release
Docker images¶
Build and smoke-test the runtime image locally with:
make docker-build
make docker-smoke
Build and run the test image locally with:
make docker-test
Run all local Docker checks with:
make docker-check
Scan locally built images for critical vulnerabilities with:
make docker-scan
make check runs Dockerfile linting but does not build Docker images, so normal
local validation does not require a Docker daemon. The devcontainer includes the
Docker-outside-of-Docker feature so contributors can run make docker-check
after rebuilding the devcontainer. The Docker workflow builds, scans, and
publishes images in GitHub Actions.
Generated artifacts¶
dist/contains built distributions and generated SBOMs.reports/contains local test, coverage, and link-check reports.site/contains the local MkDocs output..nox/contains local nox environments.
These directories are local artifacts and should not be committed.