feat(workflows): add no-build opt-out input to all reusable workflows#112
Merged
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (16)
📝 WalkthroughWalkthroughThis PR adds a ChangesConfigurable no-build Input Threading Across Workflows
Supporting Configuration, Documentation, and Diagnostic Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the org-level reusable GitHub Actions workflow library to make uv sync and uv run optionally use --no-build, so downstream repos with build backends (hatchling, setuptools, etc.) can opt out while preserving the default behavior for script-only repos.
Changes:
- Add a
no-buildboolean input (defaulttrue) to reusable Python workflows and thread it through via a job-levelNO_BUILD_FLAG. - Replace hardcoded
--no-buildinuv syncanduv runcommands with$NO_BUILD_FLAGacross the affected workflows (keepinguv pip install --no-build ...security controls intact). - Update repo security and tooling files (SECURITY surface area documentation, TruffleHog hook source pinning, Scorecard token warning).
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
SECURITY.md |
Documents security surface areas relevant to a reusable workflow library. |
.pre-commit-config.yaml |
Switches TruffleHog hook to upstream repo with SHA pinning and updated configuration comments. |
.github/workflows/python-ci.yml |
Adds no-build input and uses $NO_BUILD_FLAG for uv sync/run in CI jobs. |
.github/workflows/python-compatibility.yml |
Adds no-build input and uses $NO_BUILD_FLAG in matrix testing workflow. |
.github/workflows/python-docs.yml |
Adds no-build input and uses $NO_BUILD_FLAG for docs build steps. |
.github/workflows/python-fips-compatibility.yml |
Adds no-build input and uses $NO_BUILD_FLAG in FIPS-related jobs. |
.github/workflows/python-mutation.yml |
Adds no-build input and uses $NO_BUILD_FLAG for mutation testing commands. |
.github/workflows/python-performance-regression.yml |
Adds no-build input and uses $NO_BUILD_FLAG for benchmark execution. |
.github/workflows/python-precommit.yml |
Adds no-build input and uses $NO_BUILD_FLAG for uv sync/run pre-commit. |
.github/workflows/python-release.yml |
Adds no-build input and uses $NO_BUILD_FLAG in test and release jobs. |
.github/workflows/python-sbom.yml |
Adds no-build input and uses $NO_BUILD_FLAG for dependency sync before SBOM generation. |
.github/workflows/python-scorecard.yml |
Adds a warning step when SCORECARD_TOKEN is not provided. |
.github/workflows/python-security-analysis.yml |
Adds no-build input and uses $NO_BUILD_FLAG for uv sync/run in security jobs. |
.github/workflows/python-sonarcloud.yml |
Adds no-build input and uses $NO_BUILD_FLAG for uv sync/run in SonarCloud analysis. |
|
|
||
| - name: Install dependencies | ||
| run: uv sync --all-extras --frozen --no-build | ||
| run: uv sync --all-extras --frozen $NO_BUILD_FLAG |
| To reproduce locally: | ||
| \`\`\`bash | ||
| uv run --frozen --no-build python ${benchmarkScript} --iterations 1000 ${benchmarkArgs} | ||
| uv run --frozen $NO_BUILD_FLAG python ${benchmarkScript} --iterations 1000 ${benchmarkArgs} |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.pre-commit-config.yaml (1)
61-80: ⚡ Quick winRemove duplicate comments explaining staged-file scanning.
The rationale for staged-file-only scanning is documented twice: once in the block comment (lines 61-66) and again in the hook description field (lines 73-76). This redundancy reduces maintainability.
📝 Consolidate documentation
Keep the block comment above the repo (lines 61-66) and remove the duplicate explanation from the hook entry:
- id: trufflehog name: TruffleHog Secret Scanner description: Detect secrets in your data before committing - # Scan staged files only. The git-history mode (--since-commit HEAD) also - # traverses fetched remote branches in the local object store, producing - # false positives from unmerged branches. Staged-file scanning is the - # correct scope for a pre-commit hook; git history scanning belongs in CI. entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown --exclude-paths .trufflehog-exclude) || echo "TruffleHog not installed - skipping secret scan"' language: system pass_filenames: false stages: [pre-commit]🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.pre-commit-config.yaml around lines 61 - 80, The hook contains a duplicate explanatory comment about staged-file-only scanning inside the trufflehog hook entry; remove the repeated explanation from the hook's metadata (the "description" or the inline comment in the entry for the hook with id "trufflehog" and name "TruffleHog Secret Scanner") and keep the single block comment above the repo definition (the existing block comment before repo: https://github.com/trufflesecurity/trufflehog). Ensure only the top-level block comment documents the rationale, leaving the hook entry (id: trufflehog, name: TruffleHog Secret Scanner, entry: ...) free of the duplicated explanation.SECURITY.md (1)
38-40: ⚡ Quick winReplace double-hyphen with standard punctuation.
Line 39 uses a double-hyphen (
--) as a sentence separator. Standard technical writing style prefers commas, semicolons, or sentence restructuring over double-hyphens.✍️ Suggested rephrasing
-This repository is a GitHub Actions workflow library. Its security surface differs from -application repos -- there is no deployed service, but the workflows run with elevated -permissions in every downstream repo that calls them. +This repository is a GitHub Actions workflow library. Its security surface differs from +application repos; there is no deployed service, but the workflows run with elevated +permissions in every downstream repo that calls them.Or alternatively:
-This repository is a GitHub Actions workflow library. Its security surface differs from -application repos -- there is no deployed service, but the workflows run with elevated -permissions in every downstream repo that calls them. +This repository is a GitHub Actions workflow library. Unlike application repos, there is +no deployed service, but the workflows run with elevated permissions in every downstream +repo that calls them.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@SECURITY.md` around lines 38 - 40, Replace the double-hyphen in the sentence "there is no deployed service, but the workflows run with elevated permissions in every downstream repo that calls them." with standard punctuation or restructure the sentence; e.g., use a comma or semicolon ("there is no deployed service, but the workflows run with elevated permissions in every downstream repo that calls them.") or split into two sentences to remove the `--` and keep tone consistent in SECURITY.md.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/python-compatibility.yml:
- Line 265: The run step that currently invokes "uv sync --all-extras --frozen
$NO_BUILD_FLAG" fails to expand NO_BUILD_FLAG on Windows PowerShell runners;
replace the shell-specific $NO_BUILD_FLAG usage with the GitHub Actions context
expansion (e.g., use ${{ env.NO_BUILD_FLAG }} or the appropriate job/matrix
context) so the flag is inserted consistently across all shells, and ensure the
run line references that context token (NO_BUILD_FLAG) instead of a shell
variable.
In @.github/workflows/python-scorecard.yml:
- Around line 103-107: The step "Warn if SCORECARD_TOKEN is absent" must not use
secrets in the step-level if; instead map secrets.SCORECARD_TOKEN into an
environment variable (e.g., SCORECARD_TOKEN: ${{ secrets.SCORECARD_TOKEN }}) on
the step and remove the if: that references secrets; then perform the emptiness
check inside the shell run block (for example, use a shell test like checking if
"$SCORECARD_TOKEN" is empty and echo the warning if so). Update the step that
currently references secrets.SCORECARD_TOKEN in its if to use the env variable
SCORECARD_TOKEN and move the conditional logic into the run script.
---
Nitpick comments:
In @.pre-commit-config.yaml:
- Around line 61-80: The hook contains a duplicate explanatory comment about
staged-file-only scanning inside the trufflehog hook entry; remove the repeated
explanation from the hook's metadata (the "description" or the inline comment in
the entry for the hook with id "trufflehog" and name "TruffleHog Secret
Scanner") and keep the single block comment above the repo definition (the
existing block comment before repo:
https://github.com/trufflesecurity/trufflehog). Ensure only the top-level block
comment documents the rationale, leaving the hook entry (id: trufflehog, name:
TruffleHog Secret Scanner, entry: ...) free of the duplicated explanation.
In `@SECURITY.md`:
- Around line 38-40: Replace the double-hyphen in the sentence "there is no
deployed service, but the workflows run with elevated permissions in every
downstream repo that calls them." with standard punctuation or restructure the
sentence; e.g., use a comma or semicolon ("there is no deployed service, but the
workflows run with elevated permissions in every downstream repo that calls
them.") or split into two sentences to remove the `--` and keep tone consistent
in SECURITY.md.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: cc38b384-aa25-4b6e-b003-ac3ae1f875e6
📒 Files selected for processing (14)
.github/workflows/python-ci.yml.github/workflows/python-compatibility.yml.github/workflows/python-docs.yml.github/workflows/python-fips-compatibility.yml.github/workflows/python-mutation.yml.github/workflows/python-performance-regression.yml.github/workflows/python-precommit.yml.github/workflows/python-release.yml.github/workflows/python-sbom.yml.github/workflows/python-scorecard.yml.github/workflows/python-security-analysis.yml.github/workflows/python-sonarcloud.yml.pre-commit-config.yamlSECURITY.md
Collaborator
Author
PR Review4 Critical | 1 Important | 4 Suggested | 2 Informational Critical (must fix before merge)
Important (should fix)
Suggested
Copilot review was not auto-requested (org ruleset rule not active). SonarCloud findings not checked (MCP not available). 🤖 Generated with Claude Code |
…ning, expand SECURITY.md - Switch TruffleHog pre-commit hook from local script to upstream trufflesecurity/trufflehog repo hook (v3.92.3, SHA-pinned) - Add SCORECARD_TOKEN absence warning step to python-scorecard workflow so callers get an actionable message when Branch-Protection scores 0 - Expand SECURITY.md with Security Surface Areas section covering workflows, secrets, and dependency supply chain - Add pragma: allowlist secret to two detect-secrets false positives (TruffleHog SHA and SCORECARD_TOKEN comparison expression) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Repos using a build backend (hatchling, setuptools) fail with
"uv sync --no-build" because uv refuses to build the repo's own
package. Prior to this change, --no-build was hardcoded in every
workflow, making those repos unable to use the shared workflows.
Adds a no-build: boolean input (default: true) to all 11 affected
workflows. Callers with a build backend set no-build: false to let
uv build the local package while still refusing to build third-party
source distributions.
Implementation: each job exports NO_BUILD_FLAG at the job env level
(${{ inputs.no-build && '--no-build' || '' }}), then all uv sync/run
commands reference $NO_BUILD_FLAG unquoted so an empty value word-
splits away cleanly.
Workflows changed: python-ci, python-compatibility, python-docs,
python-fips-compatibility, python-mutation, python-performance-
regression, python-precommit, python-release, python-sbom,
python-security-analysis, python-sonarcloud.
Note: uv pip install --no-build lines (S8541/S8544 security fix from
PR #110) are intentionally untouched -- those guard against executing
arbitrary sdist build scripts from PyPI, not local package builds.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- python-compatibility.yml: add shell: bash to Install dependencies step to prevent $NO_BUILD_FLAG from silently expanding to nothing on Windows matrix legs where the default shell is PowerShell - python-scorecard.yml: replace unreliable secrets-in-if expression with env var + shell check pattern (runner issue #520 causes direct secret comparison in if: to behave inconsistently) - .pre-commit-config.yaml: remove language: system from TruffleHog hook (not overridable for remote repos; upstream uses language: golang which is the correct behavior); clarify comment about entry override intent - CHANGELOG.md: add Unreleased entries for feat/fix commits in this PR - SECURITY.md: replace double-hyphen clause separator with semicolon Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
williaby
force-pushed
the
claude/no-build-opt-out-0
branch
from
2e3e3dd to
2b09280
Compare
…nce regression
The Post PR Comment step in python-performance-regression.yml uses
actions/github-script. The PR body template literal used $NO_BUILD_FLAG
which is a shell env var not accessible in JavaScript. Add NO_BUILD_FLAG
to the step env: block and reference it as ${noBuildFlag} (via
process.env.NO_BUILD_FLAG) in the template literal so the reproduce-locally
command in the PR comment reflects the actual flag used in CI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Collaborator
Author
Fix SummaryAll findings from the pr-review have been addressed. The PR has been rebased onto main (resolving the conflict with PR #107 which removed Critical fixes applied
Other fixes
Pre-commit gateAll hooks pass: trim-whitespace, yamllint, markdownlint, detect-secrets, TruffleHog, no-em-dash, commitizen. Merge statePR is now |
|
1 task
williaby
pushed a commit
that referenced
this pull request
May 16, 2026
The docs table did not list the public no-build boolean input (default true) added by PR #112; consumers had no way to discover how to opt out of --no-build for projects with a build backend like hatchling. Inserted in canonical YAML order after the system-deps-windows row.
williaby
pushed a commit
that referenced
this pull request
May 16, 2026
The docs table did not list the public no-build boolean input (default true) added by PR #112; consumers had no way to discover how to opt out of --no-build for projects with a build backend like hatchling. Inserted in canonical YAML order after the system-deps-windows row.
williaby
added a commit
that referenced
this pull request
May 16, 2026
* fix(workflow-templates): correct fips-compatibility reusable path and cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review). * docs(workflows): add system-deps inputs to python-compatibility table Adds system-deps-ubuntu, system-deps-macos, and system-deps-windows rows to the inputs table so the caller-facing documentation matches the actual workflow_call interface (PR #105 review). * docs(community): route vulnerability reports to private channels - profile/README.md: link to the GitHub Security Advisory creation form (/security/advisories/new) instead of the advisories list page, so reporters land directly on the private submission UI (PR #104 review). - SUPPORT.md: split the Contact section into general inquiries (Issues or Discussions) and security vulnerabilities (private reporting via Security Advisories), so the broad 'all inquiries' wording no longer routes vulnerability reports to public channels (PR #104 review). * docs(agents): clarify that the Bats test suite under tests/ exists CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review). * docs(changelog): record fips path and cifuzzy SHA tag fixes Adds two entries under [Unreleased] Fixed to surface the workflow-templates fixes already on this branch so downstream consumers know to re-copy the starter templates after the fips path correction. * docs(agents): scope Bats coverage claim to update-pinned-actions.sh The previous wording 'covers the shell scripts in scripts/' implied broader validation than exists; only update-pinned-actions.bats runs, covering one of the six shell scripts in scripts/. Names the specific covered script and notes that the others are not yet tested. * docs(workflows): fill default cells for system-deps inputs The three system-deps-{ubuntu,macos,windows} rows had empty Default cells, while every other row in the table specifies an explicit backtick-quoted default. The workflow YAML has no default: key for these inputs, so the actual default is the empty string; '' makes the table uniform and removes ambiguity between 'no documented default' and 'unset'. * docs(workflows): add no-build input row to python-compatibility table The docs table did not list the public no-build boolean input (default true) added by PR #112; consumers had no way to discover how to opt out of --no-build for projects with a build backend like hatchling. Inserted in canonical YAML order after the system-deps-windows row. --------- Co-authored-by: Claude <noreply@anthropic.com>
williaby
added a commit
that referenced
this pull request
May 18, 2026
…put json Resolves SonarCloud rule `githubactions:S8541` (MAJOR / VULNERABILITY) on `python-security-analysis.yml` which fired on the Safety Vulnerability Scan step introduced in PR #138. Root cause: the existing `$NO_BUILD_FLAG` env interpolation pattern (from PR #112) is invisible to SonarCloud's S8541 regex, which scans for a literal `--no-build` token on the `uv run` line. The rule cannot statically prove the flag is set when it is passed via a variable. Fix: use a literal `--no-build` for `safety scan`. The flag has no practical effect on safety scan (which reads dependency metadata from pyproject.toml/uv.lock and never runs setup scripts), but making it visible to the static analyzer clears the Quality Gate. Also drops `--output json` since stdout is not piped or redirected; `--save-as json safety-report.json` writes the artifact directly. Closes the SonarCloud Quality Gate fail on the safety-version-drift chain (#136, #137, #138).
williaby
added a commit
that referenced
this pull request
May 18, 2026
* fix(security): migrate Safety check to safety 3.x scan command `safety check` was deprecated by Safety upstream after 1 May 2024 and its CLI semantics drifted in safety 3.x. After #137 fixed the `--output` flag handling, every consumer repo's Safety step still fails with: HINT: [Errno 2] No such file or directory: '.safety-policy.yml' Process completed with exit code 2. safety 3.x's legacy `check` command requires a `.safety-policy.yml` in the project root, which is a per-consumer requirement that should not be imposed by a shared reusable workflow. Migration: replace `safety check --file requirements-scan.txt --json` with the safety 3.x recommended invocation: safety scan --output json --save-as json safety-report.json What changes: - `safety scan` auto-discovers project files (pyproject.toml, requirements*.txt, uv.lock) -- no need to pre-generate requirements-scan.txt via `uv export`. - `--output json` controls the stdout format (still propagates exit code on findings). - `--save-as json safety-report.json` persists the same report to the artifact path. Two-arg form is the documented safety 3.x syntax: FORMAT FILE_PATH. Side effects: - The `uv export` line is dropped from the run step (safety scan reads pyproject/lock directly). - `requirements-scan.txt` is removed from the Upload Security Reports artifact list (it is no longer produced). This is the third and final fix in the safety-version-drift chain (#136 egress-policy + #137 --output syntax + this PR). The deeper fix would be pinning safety to 2.x in the workflow, but Safety upstream has communicated that 2.x is end-of-life; the long-term path is the scan command this PR adopts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(quality): inline --no-build for safety scan; drop redundant --output json Resolves SonarCloud rule `githubactions:S8541` (MAJOR / VULNERABILITY) on `python-security-analysis.yml` which fired on the Safety Vulnerability Scan step introduced in PR #138. Root cause: the existing `$NO_BUILD_FLAG` env interpolation pattern (from PR #112) is invisible to SonarCloud's S8541 regex, which scans for a literal `--no-build` token on the `uv run` line. The rule cannot statically prove the flag is set when it is passed via a variable. Fix: use a literal `--no-build` for `safety scan`. The flag has no practical effect on safety scan (which reads dependency metadata from pyproject.toml/uv.lock and never runs setup scripts), but making it visible to the static analyzer clears the Quality Gate. Also drops `--output json` since stdout is not piped or redirected; `--save-as json safety-report.json` writes the artifact directly. Closes the SonarCloud Quality Gate fail on the safety-version-drift chain (#136, #137, #138). --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Repos using a build backend (hatchling, setuptools) fail CI with errors like:
The cause:
uv sync --no-buildwas hardcoded into every reusable workflow. That flag is correct for repos that are pure scripts with no build step, but it prevents repos with a proper package build from using the shared workflow library at all.Root Cause
There are two distinct uses of
--no-buildin these workflows:uv pip install --no-build 'pkg==version'(security fix from PR fix(workflows): replace unsafe pip installs with uv pip install --no-build #110) -- refuses to download and execute arbitrary sdist build scripts from PyPI. This is an S8541/S8544 control and must stay.uv sync --no-build/uv run --frozen --no-build(pre-existing) -- refuses to build the calling repo's own package. This breaks repos with hatchling/setuptools.PR #110 fixed #1 but did not address #2.
Solution
Add a
no-buildboolean input (default:true) to all 11 affected workflows. Callers with a build backend opt out withno-build: false:Implementation: each job exports
NO_BUILD_FLAGat the jobenv:level so the variable is available to every step without per-step changes:Then all
uv sync/runcommands reference$NO_BUILD_FLAGunquoted -- an empty string word-splits away cleanly, passing no extra argument.Files Changed
Commit 1 -- pre-existing unrelated fixes bundled with the pre-commit run:
SECURITY.md-- adds Security Surface Areas section.pre-commit-config.yaml-- upgrades TruffleHog hook to upstream repo (v3.92.3, SHA-pinned) instead of local script; addspragma: allowlist secretfor SHA false positivepython-scorecard.yml-- addsSCORECARD_TOKENabsence warning so callers get an actionable message when Branch-Protection scores 0; addspragma: allowlist secretfor false positiveCommit 2 -- the no-build fix:
python-ci.yml-- 2 jobs patched (quality-checks,matrix-testing)python-compatibility.yml-- 1 job patched (test-matrix)python-docs.yml-- 1 job patched (build)python-fips-compatibility.yml-- 2 jobs patched (fips-check,fips-runtime-test)python-mutation.yml-- 1 job patched (mutation-testing)python-performance-regression.yml-- 1 job patched (performance-regression)python-precommit.yml-- 1 job patched (pre-commit)python-release.yml-- 2 jobs patched (test,release)python-sbom.yml-- 1 job patched (generate-sbom)python-security-analysis.yml-- 2 jobs patched (codeql,python-security)python-sonarcloud.yml-- 1 job patched (sonarcloud-analysis)Test Plan
no-build: falseno-build: trueuv pip install --no-buildlines (S8541/S8544 security controls) are untouched in all filesGenerated with Claude Code
Summary by CodeRabbit
New Features
no-buildinput parameter (default: enabled).Chores
Documentation