🐛 fix(ci): harden GitHub Actions workflows for production readiness

Files Modified

1. main.yaml.jinja — 7 changes:

    - Added top-level permissions: contents: read (change 5)
    - Added timeout-minutes: 15 to all 5 jobs (change 6)
    - Fixed prerelease detection with a proper regex step instead of contains() (change 2)
    - Removed noisy echo ${{ github.ref }} from release notes step (change 3)
    - Fixed secrets.PYPI_TOKEN check — now uses shell $UV_PUBLISH_TOKEN test (change 1)
    - Added coverage artifact upload from default Python version (change 10)

2. pr-thank-you.yaml — Added name: PR Thank You and continue-on-error: true (change 8)
3. setup-env/action.yaml — Pinned jdx/mise-action to SHA, enabled uv caching (changes 4 & 7)

Files Created

4. dependabot.yml — Weekly GitHub Actions auto-updates (change 9)
5. PULL_REQUEST_TEMPLATE.md — Minimal PR checklist (change 11)

Author: bassemkaroui

template/{% if repository_provider == 'github' %}.github{% endif %}/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,7 @@
+## Description
+<!-- What does this PR do? -->
+
+## Checklist
+- [ ] Tests pass (`make test`)
+- [ ] Linting passes (`make check-quality`)
+- [ ] Type checking passes (`make check-types`)

template/{% if repository_provider == 'github' %}.github{% endif %}/actions/setup-env/action.yaml

@@ -13,9 +13,11 @@ runs:
   steps:
     - name: Setup uv
       uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7
+      with:
+        enable-cache: true
 
     - name: Setup mise
-      uses: jdx/mise-action@v2
+      uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2
       with:
         install_only: true
 

template/{% if repository_provider == 'github' %}.github{% endif %}/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

template/{% if repository_provider == 'github' %}.github{% endif %}/workflows/main.yaml.jinja

@@ -14,9 +14,13 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -40,6 +44,7 @@ jobs:
 
   tests:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     strategy:
       matrix:
         python-version:
@@ -64,8 +69,18 @@ jobs:
       - name: Run tests
         run: make test
 
+      - name: Upload coverage report
+        if: {% raw %}matrix.python-version == '{{ python_version }}'{% endraw %}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: coverage-report
+          path: |
+            htmlcov/
+            coverage.xml
+
   release:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: |
       github.event_name == 'push' &&
       startsWith(github.ref, 'refs/tags/')
@@ -87,20 +102,31 @@ jobs:
           python-version-file: ".python-version"
 
       - name: Prepare release notes
-        run: {% raw %}uvx --from commitizen --with cz-conventional-gitmoji cz changelog ${{ github.ref_name }} --file-name release-notes.md && echo ${{ github.ref }}{% endraw %}
+        run: {% raw %}uvx --from commitizen --with cz-conventional-gitmoji cz changelog ${{ github.ref_name }} --file-name release-notes.md{% endraw %}
+
+      - name: Check if prerelease
+        id: check_prerelease
+        run: |
+          TAG="{% raw %}${{ github.ref_name }}{% endraw %}"
+          if echo "$TAG" | grep -qP '\d+\.\d+\.\d+(a|b|rc)\d+'; then
+            echo "is_prerelease=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Create release
         uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2
         with:
           body_path: release-notes.md
-          prerelease: {% raw %}${{ contains(github.ref_name, 'rc') || contains(github.ref_name, 'b') || contains(github.ref_name, 'a') }}{% endraw %}
+          prerelease: {% raw %}${{ steps.check_prerelease.outputs.is_prerelease }}{% endraw %}
 
   deploy-docs:
     if: |
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'push' &&
       startsWith(github.ref, 'refs/tags/'))
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs:
       - checks
       - tests
@@ -136,6 +162,7 @@ jobs:
       (github.event_name == 'push' &&
       startsWith(github.ref, 'refs/tags/'))
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs:
       - checks
       - tests
@@ -155,8 +182,12 @@ jobs:
         run: uv build
 
       - name: Publish package
-        if: secrets.PYPI_TOKEN != ''
         env:
           UV_PUBLISH_TOKEN: {% raw %}${{ secrets.PYPI_TOKEN }}{% endraw %}
-        run: uv publish
+        run: |
+          if [ -n "$UV_PUBLISH_TOKEN" ]; then
+            uv publish
+          else
+            echo "::warning::PYPI_TOKEN secret not set, skipping publish"
+          fi
   {%- endif %}

template/{% if repository_provider == 'github' %}.github{% endif %}/workflows/pr-thank-you.yaml

@@ -1,3 +1,5 @@
+name: PR Thank You
+
 on:
   pull_request:
     types:
@@ -6,6 +8,7 @@ on:
 jobs:
   pr-action:
     runs-on: ubuntu-latest
+    continue-on-error: true
     permissions:
       issues: write
       pull-requests: write