chore: Sync with rhiza

.github/actions/configure-git-auth/README.md

@@ -0,0 +1,80 @@
+# Configure Git Auth for Private Packages
+
+This composite action configures git to use token authentication for private GitHub packages.
+
+## Usage
+
+Add this step before installing dependencies that include private GitHub packages:
+
+```yaml
+- name: Configure git auth for private packages
+  uses: ./.github/actions/configure-git-auth
+  with:
+    token: ${{ secrets.GH_PAT }}
+```
+
+The `GH_PAT` secret should be a Personal Access Token with `repo` scope.
+
+## What It Does
+
+This action runs:
+
+```bash
+git config --global url."https://<token>@github.com/".insteadOf "https://github.com/"
+```
+
+This tells git to automatically inject the token into all HTTPS GitHub URLs, enabling access to private repositories.
+
+## When to Use
+
+Use this action when your project has dependencies defined in `pyproject.toml` like:
+
+```toml
+[tool.uv.sources]
+private-package = { git = "https://github.com/your-org/private-package.git", rev = "v1.0.0" }
+```
+
+## Token Requirements
+
+By default, this action will use the workflow’s built-in `GITHUB_TOKEN` (`github.token`) if no `token` input is provided or if the provided value is empty (it uses `inputs.token || github.token` internally).
+
+The `GITHUB_TOKEN` is usually sufficient when:
+
+- installing dependencies hosted in the **same repository** as the workflow, or
+- accessing **public** repositories.
+
+The default `GITHUB_TOKEN` typically does **not** have permission to read other private repositories, even within the same organization. For that scenario, you should create a Personal Access Token (PAT) with `repo` scope and store it as `secrets.GH_PAT`, then pass it to the action via the `token` input.
+
+If you configure the step as in the example (`token: ${{ secrets.GH_PAT }}`) and `secrets.GH_PAT` is not defined, GitHub Actions passes an empty string to the action. The composite action then falls back to `github.token`, so the configuration step itself still succeeds. However, any subsequent step that tries to access private repositories that are not covered by the permissions of `GITHUB_TOKEN` will fail with an authentication error.
+## Example Workflow
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest
+```
+
+## See Also
+
+- [PRIVATE_PACKAGES.md](../../../.rhiza/docs/PRIVATE_PACKAGES.md) - Complete guide to using private packages
+- [TOKEN_SETUP.md](../../../.rhiza/docs/TOKEN_SETUP.md) - Setting up Personal Access Tokens

.github/actions/configure-git-auth/action.yml

@@ -0,0 +1,21 @@
+name: 'Configure Git Auth for Private Packages'
+description: 'Configure git to use token authentication for private GitHub packages'
+
+inputs:
+  token:
+    description: 'GitHub token to use for authentication'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Configure git authentication
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token || github.token }}
+      run: |
+        # Configure git to use token authentication for GitHub URLs
+        # This allows uv/pip to install private packages from GitHub
+        git config --global url."https://${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        echo "✓ Git configured to use token authentication for GitHub"

.github/workflows/rhiza_benchmarks.yml

@@ -37,10 +37,14 @@ jobs:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
-          python-version: "3.12"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: Run benchmarks
         env:

.github/workflows/rhiza_book.yml

@@ -41,9 +41,14 @@ jobs:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: "Sync the virtual environment for ${{ github.repository }}"
         shell: bash

.github/workflows/rhiza_ci.yml

@@ -29,10 +29,15 @@ jobs:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - id: versions
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
@@ -60,11 +65,16 @@ jobs:
           lfs: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
           python-version: ${{ matrix.python-version }}
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run tests
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
@@ -79,9 +89,14 @@ jobs:
         uses: actions/[email protected]
 
       - name: Install uv
-        uses: astral-sh/[email protected]
+        uses: astral-sh/[email protected]
+        with:
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
         with:
-          version: "0.9.28"
+          token: ${{ secrets.GH_PAT }}
 
       - name: Check docs coverage
         env:

.github/workflows/rhiza_codeql.yml

@@ -83,6 +83,10 @@ jobs:
     - name: Checkout repository
       uses: actions/[email protected]
 
+    - name: Configure git auth for private packages
+      uses: ./.github/actions/configure-git-auth
+      with:
+        token: ${{ secrets.GH_PAT }}
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
     # or others). This is typically only required for manual builds.
@@ -91,7 +95,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/[email protected].1
+      uses: github/codeql-action/[email protected].2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -120,6 +124,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/[email protected].1
+      uses: github/codeql-action/[email protected].2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/rhiza_deptry.yml

@@ -27,11 +27,16 @@ jobs:
     name: Check dependencies with deptry
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/astral-sh/uv:0.9.28-bookworm
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
 
     steps:
       - uses: actions/[email protected]
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run deptry
         run: make deptry
         # NOTE: make deptry is good style because it encapsulates the folders to check

.github/workflows/rhiza_marimo.yml

@@ -81,9 +81,14 @@ jobs:
 
       # Install uv/uvx
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       # Execute the notebook with the appropriate runner based on its content
       - name: Run notebook

.github/workflows/rhiza_mypy.yml

@@ -24,11 +24,16 @@ jobs:
     name: Static type checking with mypy
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/astral-sh/uv:0.9.28-bookworm
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
 
     steps:
       - uses: actions/checkout@v6
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       # to brutal for now
       # - name: Run mypy
       #   run: make -f .rhiza/rhiza.mk mypy

.github/workflows/rhiza_pre-commit.yml

@@ -31,6 +31,11 @@ jobs:
     steps:
       - uses: actions/[email protected]
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       # Run pre-commit
       - name: Run pre-commit
         run: |

.github/workflows/rhiza_release.yml

@@ -111,9 +111,14 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
 
       - name: Verify version matches tag
         if: hashFiles('pyproject.toml') != ''
@@ -320,9 +325,9 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
         with:
-          version: "0.9.28"
+          version: "0.10.0"
 
       - name: "Sync the virtual environment for ${{ github.repository }}"
         shell: bash

.github/workflows/rhiza_security.yml

@@ -27,11 +27,16 @@ jobs:
     name: Security scanning
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/astral-sh/uv:0.9.28-bookworm
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
 
     steps:
       - uses: actions/[email protected]
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run security scans
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}

.github/workflows/rhiza_sync.yml

@@ -50,7 +50,7 @@ jobs:
           fi
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7.2.1
+        uses: astral-sh/setup-uv@v7.3.0
 
       - name: Get Rhiza version
         id: rhiza-version

.github/workflows/rhiza_validate.yml

@@ -12,16 +12,26 @@ on:
 jobs:
   validation:
     runs-on: ubuntu-latest
-    # don't run this in rhiza itself. Rhiza has no template.yml file.
-    if: ${{ github.repository != 'jebel-quant/rhiza' }}
     container:
-      image: ghcr.io/astral-sh/uv:0.9.28-bookworm
+      image: ghcr.io/astral-sh/uv:0.9.30-bookworm
 
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Validate Rhiza config
+        # don't run this in rhiza itself. Rhiza has no template.yml file.
+        if: ${{ github.repository != 'jebel-quant/rhiza' }}
         shell: bash
         run: |
           uvx "rhiza>=0.8.0" validate .
+
+      - name: Run Rhiza Tests
+        shell: bash
+        run: |
+          make rhiza-test

.gitignore

@@ -12,6 +12,7 @@ _tests
 _book
 _pdoc
 _marimushka
+_mkdocs
 _benchmarks
 _jupyter