Cross-platform dependency-patch and CI-baseline tooling for Python repositories, packaged as a single
acidbaseCLI plus a set of canonical template files.
1. The acidbase CLI — a small Click-based command group that wraps several
owner-wide GitHub workflows so they behave identically on Windows (PowerShell 7+)
and on Linux/WSL (bash):
acidbase patch— scan every non-archived repo of a GitHub owner for a vulnerable dependency, bump it viauv add <dep>>=<new>, publish the fix (direct push or PR), and verify Dependabot alerts close. Profiles per repo are configured inconfig/security_patch.toml.acidbase alerts— list Dependabot alerts for one repo or every repo of an owner, with severity / state / package filters and ready-to-pasteacidbase patchsuggestions per affected package.acidbase enable-alerts/acidbase enable-fixes— idempotently toggle the per-repo Dependabot settings (vulnerability alerts and automated security fix PRs respectively). Each helper checks the current state first so it is safe to chain from repo-creation scaffolders.acidbase push— DVC- and pre-commit-awaregit add . && git commit && git pushhelper with automatic retry when hooks modify staged files. Importable from consumer repos viafrom acidbase.push import push_command. Supports a dual-publish flow (private remote + public mirror) with allowlist / gitleaks pre-flight gates and an interactive destination Q&A; seedocs/guidelines/dual_push.md. 2. Canonical CI / lint / secret-scan templates undertemplates/— a single source of truth for the GitHub Actions lint workflow, the pre-commit hook set (uv-lock + ruff + gitleaks), the ruff configuration block, and the gitleaks configuration:templates/.github/workflows/lint.ymltemplates/.pre-commit-config.yamltemplates/pyproject.lint.toml(the[tool.ruff]block to append)templates/.gitleaks.tomlDownstream repositories pull these files directly so the lint baseline stays consistent without per-repo drift. Seetemplates/README.mdfor the rationale behind each choice (why ruff over black+isort+flake8, why the gitleaks CLI instead ofgitleaks/gitleaks-action@v2).
Requires Python 3.13+ and uv.
git clone https://github.com/jurdabos/acidbase.git
cd acidbase
uv sync
uv run acidbase --helpOr install directly from GitHub into another project:
uv add "acidbase @ git+https://github.com/jurdabos/acidbase.git"Full walkthroughs for the security patch flow (CLI reference, config schema,
strategies, verification, worked examples) live in
docs/guidelines/security_patching.md.
Quick example:
# Triage owner-wide alerts and get suggested fix commands.
uv run acidbase alerts --owner <github-owner> --state open --severity high
# Apply a fix across every affected repo and verify the alerts close.
uv run acidbase patch \
--owner <github-owner> \
--dep GitPython \
--new-version 3.1.50 \
--cve CVE-2026-42215uv sync # install runtime + dev deps
uv run pytest # run the test suite
uv run ruff check . # lint
uv run ruff format --check . # formatting checkPre-commit hooks (uv-lock + ruff + gitleaks via the system MIT-licensed binary):
uv tool install pre-commit --with pre-commit-uv
pre-commit install
pre-commit run --all-filesacidbase/
├── src/acidbase/ # Python package
│ ├── cli.py # Click group: patch, alerts, enable-alerts, enable-fixes, push
│ ├── push.py # Reusable git/DVC commit-and-push command
│ └── security/ # patch + alert helpers, profile resolver, publishers
├── templates/ # Canonical CI / lint / secret-scan baseline
├── docs/guidelines/ # Public docs (security patching workflow)
├── tests/ # pytest suite (security/* covers the patch flow)
├── config/security_patch.toml # Example profile config (placeholders only)
├── scripts/list_symbols.py # Repo-wide function/class inventory utility
├── pyproject.toml # uv-native project metadata + ruff config
└── PUBLIC_ALLOWLIST.txt # CI guard: paths allowed to live in this repo
See CONTRIBUTING.md and CODE_OF_CONDUCT.md.
The CI lint baseline (.github/workflows/lint.yml) and the public allowlist
guard (.github/workflows/public-allowlist.yml) must stay green before merge.
MIT — Copyright (c) 2024 Blai (Balázs Torda).