chore: Sync with rhiza

[tschm]

This pull request synchronizes the repository with its template.

Changes were generated automatically using rhiza.

Summary by CodeRabbit

Release Notes

• Chores

  • Introduced CodeQL security analysis workflow for automated code scanning across multiple languages with scheduled runs
  • Improved build system commands for cleanup and dependency verification with enhanced robustness
  • Updated workflow tracking configurations and test files

• Documentation

  • Enhanced help documentation with improved formatting and styling for better usability

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a new CodeQL security analysis GitHub Actions workflow, updates build infrastructure by refactoring the Makefile's clean and deptry targets, tracks the workflow file in project history, and adjusts corresponding test expectations to match the updated Makefile behavior.

Changes

Cohort / File(s)	Summary
GitHub Actions Security Infrastructure .github/workflows/rhiza_codeql.yml, .rhiza/history	Adds new CodeQL Advanced workflow with matrix strategy for multiple languages (actions, python), scheduled and event-driven triggers (push/PR to main/master, weekly), language-specific runner selection, and security event analysis; workflow file reference tracked in history.
Build System & Dependency Management Makefile	Refactors clean target to preserve .env files, use awk-based filtering for branch cleanup, and improve output formatting; shifts deptry target from strict pyproject.toml gate to directory-aware logic using src/ directory existence check with fallback to deptry .; enhances help target with better formatting and dynamic target listing.
Test Updates tests/test_rhiza/test_makefile.py	Adjusts deptry target test expectation from deptry "src" to deptry . to align with refactored Makefile logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: sync template from tschm/.config-templates@77-action-with-explicit-devcontainer-copy #195: Updates deptry/source-discovery logic in build quality tooling (taskfiles/quality.yml), directly related to this PR's changes to Makefile deptry conditional logic.

Poem

🐰 A CodeQL lens now guards the code,
While Makefiles dance down cleaner roads,
Branch pruning, tests, and workflows flow—
Security seeds we help to grow! 🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: Sync with rhiza' is vague and does not clearly describe the specific changes made in the pull request.	Consider using a more descriptive title that highlights the main changes, such as 'chore: Add CodeQL workflow, update Makefile and tests' or 'chore: Add CodeQL analysis and improve Makefile targets'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch rhiza/20561446968

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b00629 and efcb4b6.

📒 Files selected for processing (4)

• .github/workflows/rhiza_codeql.yml
• .rhiza/history
• Makefile
• tests/test_rhiza/test_makefile.py

🔇 Additional comments (7)

.rhiza/history (1)

11-11: LGTM!

The new CodeQL workflow is correctly tracked in the template history file.

tests/test_rhiza/test_makefile.py (1)

133-139: LGTM!

The test correctly validates the updated deptry target behavior, which now runs deptry . when no src directory exists (as is the case in the test's temporary environment).

.github/workflows/rhiza_codeql.yml (3)

88-97: Manual build placeholder is correctly configured.

The manual build step exits with an error code, which is intentional. This step only executes when build-mode: 'manual' is set in the matrix. Since the current matrix entries use build-mode: none, this placeholder will not be triggered and serves as a reminder for future customization.

---

31-31: The repository is confirmed to be public. The workflow condition is correctly configured and CodeQL analysis will run as expected.

---

61-61: The workflow already uses current, secure versions. actions/checkout@v6 is the latest stable version, and github/codeql-action@v4 is the latest stable major version (latest patch: v4.31.7). No security advisories identified. No changes required.

Makefile (2)

142-147: LGTM! Directory-aware deptry invocation is more flexible.

The updated deptry target intelligently checks for the existence of a src directory and adjusts its invocation accordingly. This is more permissive than the previous implementation and aligns well with the corresponding test expectations.

---

172-177: LGTM! Enhanced help formatting improves usability.

The improved help target provides clearer structure with usage instructions and formatted target listings, making the Makefile more user-friendly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Address portability issue with xargs -r flag.

The clean target enhancements improve artifact cleanup and formatting. However, Line 131 uses xargs -r, which is a GNU extension not available on BSD/macOS systems. This will cause the target to fail on macOS.

🔎 Portable alternative for branch cleanup

-	@git branch -vv | awk '/: gone]/{print $$1}' | xargs -r git branch -D
+	@git branch -vv | awk '/: gone]/{print $$1}' | xargs git branch -D 2>/dev/null || true

Or use a more explicit approach:

-	@git branch -vv | awk '/: gone]/{print $$1}' | xargs -r git branch -D
+	@branches=$$(git branch -vv | awk '/: gone]/{print $$1}'); \
+	if [ -n "$$branches" ]; then \
+		echo "$$branches" | xargs git branch -D; \
+	fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	clean: ## Clean project artifacts and stale local branches
	@printf "%bCleaning project...%b\n" "$(BLUE)" "$(RESET)"
	# Remove ignored files/directories, but keep .env files
	@git clean -d -X -f \
	-e .env \
	-e '.env.*'
	# Remove build & test artifacts
	@rm -rf \
	dist \
	build \
	*.egg-info \
	.coverage \
	.pytest_cache
	@printf "%bRemoving local branches with no remote counterpart...%b\n" "$(BLUE)" "$(RESET)"
	@git fetch --prune
	@git branch -vv \
	| grep ': gone]' \
	| awk '{print $1}' \
	| xargs -r git branch -D 2>/dev/null || true
	@git branch -vv | awk '/: gone]/{print $$1}' | xargs -r git branch -D
	clean: ## Clean project artifacts and stale local branches
	@printf "%bCleaning project...%b\n" "$(BLUE)" "$(RESET)"
	# Remove ignored files/directories, but keep .env files
	@git clean -d -X -f \
	-e .env \
	-e '.env.*'
	# Remove build & test artifacts
	@rm -rf \
	dist \
	build \
	*.egg-info \
	.coverage \
	.pytest_cache
	@printf "%bRemoving local branches with no remote counterpart...%b\n" "$(BLUE)" "$(RESET)"
	@git fetch --prune
	@git branch -vv | awk '/: gone]/{print $$1}' | xargs git branch -D 2>/dev/null || true

🤖 Prompt for AI Agents

In Makefile around lines 111 to 131, the clean target uses the non-portable
GNU-specific xargs -r flag on line 131 which fails on BSD/macOS; remove the
dependency on -r by changing the branch-deletion step to a portable loop or
xargs invocation — e.g., pipe the awk output into a POSIX-safe loop (while read
-r branch; do git branch -D "$branch"; done) or use xargs -n1 git branch -D so
empty input is handled safely without relying on -r; update the Makefile
accordingly.