ci: modernize CI matrix, pin actions, and refresh docs

[thephez]

Summary

Modernizes the GitHub Actions workflow and refreshes the README. All previously supported Python versions remain tested — modern releases on hosted runners, and the EOL releases (2.7, 3.5, 3.6) inside official Docker images.

CI changes

• Modern Python (3.7–3.14): tested via actions/setup-python on hosted runners (ubuntu-22.04 and ubuntu-latest). Python 3.7 runs on 22.04 only (added via include), since newer runners don't provide it.
• Legacy Python (2.7, 3.5, 3.6): these are no longer published by actions/setup-python for the available runner images, so a separate legacy job runs them inside the official python:X.Y-buster Docker images, which still ship a working interpreter and gcc. The C extension already has Python 2 build branches, so no source changes were needed.
• Pinned actions to commit SHAs: checkout v6.0.3 (both jobs) and setup-python v6.2.0 (previously floating @v2 tags). buster's glibc (2.28) is new enough to run checkout v6's bundled Node.
• fail-fast: false so one version failing doesn't cancel the rest.
• Triggers: added workflow_dispatch (manual runs) and a weekly schedule (Mondays 08:17 UTC) to catch breakage from runner/dependency drift.
• Renamed the workflow to "Build and Test Python C Extension" (was "C++ and Python" — there's no standalone C++ build).
• Job display names include the OS / container image.

Docs

• Fixed the Test and Uninstall heading underlines.
• Dropped $ prompts from command examples for easier copy-paste.

Summary by CodeRabbit

• Documentation

  • Simplified installation, testing, and uninstall examples in README; Python requirement text left as-is.

• Chores

  • CI updated: rename, expanded test triggers, primary matrix now targets modern Python releases (3.10–3.14, plus 3.7 in an include) and a separate legacy job runs older Python releases (2.7, 3.5, 3.6).

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates the GitHub Actions workflow: expanded test matrix (Python 3.10–3.14 plus 3.7 include), added legacy job for older Pythons, pinned action SHAs; README command examples reformatted (install/test/uninstall) and retains “Python 3.5+ or 2.7+” text.

Changes

Project Configuration and Documentation

Layer / File(s)	Summary
Workflow identity and triggers .github/workflows/build-test.yaml	Workflow name and on triggers changed to push/pull_request, weekly cron, and workflow_dispatch.
Build job matrix and setup steps .github/workflows/build-test.yaml	Main build job matrix updated to Python 3.10–3.14 across ubuntu-22.04 and ubuntu-latest with an extra Python 3.7 include; fail-fast disabled; actions/checkout and actions/setup-python pinned to commit SHAs; install/test/uninstall step unchanged.
Legacy job for older Pythons .github/workflows/build-test.yaml	Added legacy job running Python 2.7, 3.5, 3.6 in container matrix (python:* -buster) on ubuntu-latest, reusing pinned checkout and same test script.
README install/test/uninstall formatting README.md	Rewrote Install/Test/Uninstall sections to remove $ prompts and show commands (pip3 install -r requirements.txt ., python3 test.py, pip3 uninstall dash_hash). The Python version text in this block remains “Python 3.5+ or 2.7+”.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A CI hop, a pinned-up tune,
Python versions rise like moon,
Commands now neat, no prompt in sight,
Tests on old and new take flight,
I nibble docs and dance — delight! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the three main changes: modernizing the CI matrix (updating Python versions and runners), pinning GitHub Actions to commit SHAs, and refreshing documentation. It is concise, clear, and directly reflects the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/build-test.yaml (1)

22-22: ⚡ Quick win

Consider adding persist-credentials: false for defense in depth.

The checkout action defaults to persisting GitHub credentials in the working directory. While the risk is lower for this C extension build workflow, explicitly setting persist-credentials: false follows security best practices and prevents credential exposure if the workflow is later modified to execute untrusted code.

🔒 Suggested hardening

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test.yaml at line 22, The checkout step currently
uses actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10; update that step
to explicitly set persist-credentials: false to avoid leaving GitHub credentials
in the workspace (i.e., add persist-credentials: false under the
actions/checkout step), ensuring credential persistence is disabled for
defense-in-depth.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-test.yaml:
- Around line 15-18: The CI matrix currently tests python-version: [ '3.10',
'3.11', '3.12', '3.13', '3.14' ] plus an include for 3.7, leaving out 3.8 and
3.9; update the matrix to include '3.8' and '3.9' (add them to the
python-version list or add include entries) so tests run on those interpreters,
or alternatively add a comment/README note in the workflow explaining the
intentional omission of 3.8/3.9 if you do not want to support them; refer to the
python-version matrix key in the workflow for the change.
- Line 18: The workflow matrix currently includes python-version '3.7' while the
job uses actions/setup-python@v6.2.0 which no longer supports EOL Python 3.7;
remove the { python-version: '3.7', os: ubuntu-22.04 } entry from the
matrix.include or alternatively pin actions/setup-python to a prior release that
still supports 3.7 (e.g., downgrade the setup action reference used in the
workflow from v6.2.0 to a compatible older tag) so the matrix and setup-python
version are consistent.
- Line 22: The pinned SHA for actions/checkout in the workflow is inconsistent
with the inline tag: update the line that currently uses
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" so the comment and
pin match—either replace the pinned SHA with the commit for tag "v6.0.3"
(9f698171ed81b15d1823a05fc7211befd50c8ae0) or change the comment/tag to reflect
the existing SHA; ensure the string "actions/checkout@..." and its accompanying
comment are consistent.

In `@README.md`:
- Line 9: Add a python_requires minimum version to the setup() invocation so pip
enforces the README/CI-supported Python >=3.7; update the setup.py file by
adding the python_requires='>=3.7' parameter to the existing setup(...) call
(the setup function that declares name/version/ext_modules) so installations on
older Python are rejected with a clear error.

---

Nitpick comments:
In @.github/workflows/build-test.yaml:
- Line 22: The checkout step currently uses
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10; update that step to
explicitly set persist-credentials: false to avoid leaving GitHub credentials in
the workspace (i.e., add persist-credentials: false under the actions/checkout
step), ensuring credential persistence is disabled for defense-in-depth.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5047bb6d-a224-4ee3-bdf1-c956084f490f

📥 Commits

Reviewing files that changed from the base of the PR and between 7af3873 and 32df5fa.

📒 Files selected for processing (2)

• .github/workflows/build-test.yaml
• README.md

[thephez]

@UdjinM6 @PastaPastaPasta can someone with write access review this?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/build-test.yaml (2)

22-22: ⚡ Quick win

Consider adding persist-credentials: false for defense in depth.

While not a risk in this workflow, explicitly disabling credential persistence prevents potential leakage through artifacts if the workflow evolves.

🔒 Suggested addition

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test.yaml at line 22, Add persist-credentials: false
to the actions/checkout step to prevent GitHub Actions from persisting workflow
token credentials; locate the checkout usage (the line with uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) and add the
persist-credentials: false property under that step so credentials are not
retained for later steps or artifacts.

Source: Linters/SAST tools

---

46-46: ⚡ Quick win

Consider adding persist-credentials: false for defense in depth.

Same security recommendation as the main build job: explicitly disabling credential persistence prevents potential leakage if the workflow evolves.

🔒 Suggested addition

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test.yaml at line 46, The actions/checkout step
currently uses a pinned ref
(actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) but does not disable
credential persistence; add persist-credentials: false to that checkout step to
prevent GitHub token being persisted to the workspace (defense in depth). Locate
the checkout usage (actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10)
and add the persist-credentials: false input under that step.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-test.yaml:
- Line 48: The legacy workflow step currently runs "python -m pip install ."
without first installing requirements; update that job/step to mirror the main
build by running pip install -r requirements.txt (to install setuptools, wheel,
etc.) prior to the existing "python -m pip install ." command so the environment
and build tools match the main build job.

---

Nitpick comments:
In @.github/workflows/build-test.yaml:
- Line 22: Add persist-credentials: false to the actions/checkout step to
prevent GitHub Actions from persisting workflow token credentials; locate the
checkout usage (the line with uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) and add the
persist-credentials: false property under that step so credentials are not
retained for later steps or artifacts.
- Line 46: The actions/checkout step currently uses a pinned ref
(actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) but does not disable
credential persistence; add persist-credentials: false to that checkout step to
prevent GitHub token being persisted to the workspace (defense in depth). Locate
the checkout usage (actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10)
and add the persist-credentials: false input under that step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91d172ec-923b-4bb9-9ba6-caa6ca3268a4

📥 Commits

Reviewing files that changed from the base of the PR and between 32df5fa and 9ada8ea.

📒 Files selected for processing (2)

• .github/workflows/build-test.yaml
• README.md

✅ Files skipped from review due to trivial changes (1)

• README.md

[knst]

lgtm 88773d2

[UdjinM6]

utACK 88773d2

[thephez]

Turns out I can't merge in this repo either. Can someone merge it as well?