Improve sdk devex

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,13 @@
+## Summary
+
+- What changed, why and the link to the issue that it's solving.
+
+## Checklist
+
+- [ ] CI is green (`lint`, `typecheck`, `test`, `secrets`)
+- [ ] `pre-commit run --all-files` passes locally
+- [ ] Tests were added or updated when behavior changed
+- [ ] Public API / typing changes were reviewed
+- [ ] Documentation was updated (`README.md` / `CONTRIBUTING.md`) if needed
+- [ ] Breaking changes are clearly documented
+- [ ] `CHANGELOG.md` was updated when user-facing behavior changed

.github/workflows/ci.yml

@@ -0,0 +1,75 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  lint:
+    name: Lint (ruff)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install uv
+        run: python -m pip install --upgrade pip uv
+      - name: Install dependencies
+        run: uv sync --group dev
+      - name: Ruff check
+        run: uv run ruff check .
+      - name: Ruff format check
+        run: uv run ruff format --check .
+
+  typecheck:
+    name: Type check (mypy)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install uv
+        run: python -m pip install --upgrade pip uv
+      - name: Install dependencies
+        run: uv sync --group dev
+      - name: Run mypy
+        run: uv run mypy
+
+  test:
+    name: Test (pytest)
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install uv
+        run: python -m pip install --upgrade pip uv
+      - name: Install dependencies
+        run: uv sync --group dev
+      - name: Run tests
+        run: uv run pytest
+
+  secrets:
+    name: Secrets scan (gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install gitleaks (OSS binary)
+        run: |
+          GITLEAKS_VERSION="8.28.0"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o gitleaks.tar.gz
+          tar -xzf gitleaks.tar.gz
+          sudo mv gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose --redact

.github/workflows/publish.yml

@@ -1,14 +1,14 @@
 name: publish
 
 on:
-  push:
-    branches:
-      - main
-    paths:
-      - pyproject.toml
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
 
 jobs:
   publish:
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' }}
     runs-on: ubuntu-latest
     environment:
       name: pypi
@@ -19,13 +19,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 2
+          ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Detect version change
         id: version_check
         run: |
-          BEFORE_SHA="${{ github.event.before }}"
-          AFTER_SHA="${{ github.sha }}"
+          BEFORE_SHA="$(git rev-parse HEAD^)"
+          AFTER_SHA="$(git rev-parse HEAD)"
 
           BEFORE_VERSION="$(git show "${BEFORE_SHA}:pyproject.toml" 2>/dev/null | sed -nE 's/^version = "([^"]+)"/\1/p' | head -n1)"
           AFTER_VERSION="$(sed -nE 's/^version = "([^"]+)"/\1/p' pyproject.toml | head -n1)"

.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.13.2
+    hooks:
+      - id: ruff
+        args: ["--fix"]
+      - id: ruff-format
+
+  - repo: local
+    hooks:
+      - id: mypy
+        name: mypy
+        entry: uv run mypy
+        language: system
+        pass_filenames: false
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
+        args: ["--verbose", "--redact"]

CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Professional repository baseline:
+  - CI workflow with lint, type checks, tests, and secret scanning gates.
+  - `pre-commit` with `ruff`, `mypy`, and `gitleaks`.
+  - `Makefile`, `CODEOWNERS`, and PR template.
+  - Initial `SECURITY.md` and packaging metadata improvements.

CONTRIBUTING.md

@@ -1,29 +1,59 @@
-# Contributing to Tinybird
+# Contributing to tinybird-sdk-python
 
-Thank you for your interest in contributing to this project!
+Thank you for contributing.
 
-## How to Contribute
+## Prerequisites
 
-1. **Fork the repository** and create your branch from `main`.
-2. **Make your changes** and ensure they follow the project's coding style.
-3. **Test your changes** to make sure everything works as expected.
-4. **Submit a pull request** with a clear description of your changes.
+- Python 3.11+
+- `uv` installed (`pip install uv`)
+
+## Local Setup
+
+```bash
+uv sync --group dev
+uv run pre-commit install
+```
+
+## Validation Workflow (must pass before PR)
+
+Run the same checks used in CI:
+
+```bash
+make check
+```
+
+Or run them individually:
+
+```bash
+make lint
+make typecheck
+make test
+make secrets
+```
+
+## Pull Request Process
+
+1. Branch from `main`.
+2. Keep changes focused and include tests for behavior changes.
+3. Update docs (`README.md`, this file) when usage/workflow changes.
+4. Update `CHANGELOG.md` for user-facing changes.
+5. Open a PR using the provided template and complete the checklist.
+
+`CODEOWNERS` is enabled for source, tests, and release/config paths.
 
 ## Reporting Issues
 
-If you find a bug or have a feature request, please open an issue on GitHub with:
+Open an issue with:
 
-- A clear and descriptive title
-- Steps to reproduce the issue (if applicable)
-- Expected vs actual behavior
-- Any relevant logs or screenshots
+- clear title and expected behavior
+- reproduction steps
+- environment details (Python version, OS)
+- logs or stack traces when available
 
-## Code of Conduct
+## Security
 
-Please be respectful and constructive in all interactions. We're all here to build something great together.
+Do not report vulnerabilities in public issues. See `SECURITY.md`.
 
 ## License
 
-This project is licensed under the MIT License.
-
-By contributing (e.g., submitting a pull request), you agree that your contributions will be licensed under the MIT License, and you represent that you have the authority to make the contribution.
+By contributing, you agree that your contributions are licensed under MIT.

Makefile

@@ -0,0 +1,38 @@
+SRC_DIRS=src tests
+
+.PHONY: help
+help: ## Show available commands
+	@awk -F ':|##' '/^[^\t].+?:.*?##/ { printf "\033[36m%-22s\033[0m %s\n", $$1, $$NF }' $(MAKEFILE_LIST)
+
+.PHONY: install
+install: ## Install dev dependencies with uv
+	uv sync --group dev
+
+.PHONY: lint
+lint: ## Run ruff lint and format checks
+	uv run ruff check .
+	uv run ruff format --check .
+
+.PHONY: lint-fix
+lint-fix: ## Auto-fix lint and format
+	uv run ruff check . --fix
+	uv run ruff format .
+
+.PHONY: typecheck
+typecheck: ## Run mypy type checks
+	uv run mypy
+
+.PHONY: test
+test: ## Run test suite
+	uv run pytest
+
+.PHONY: secrets
+secrets: ## Run gitleaks secret scan
+	uv run pre-commit run gitleaks --all-files
+
+.PHONY: check
+check: ## Run full local CI checks
+	@$(MAKE) lint
+	@$(MAKE) typecheck
+	@$(MAKE) test
+	@$(MAKE) secrets

README.md

@@ -11,6 +11,14 @@ Define your datasources, pipes, and queries in Python and sync them directly to
 pip install tinybird-sdk
 ```
 
+## Development
+
+```bash
+uv sync --group dev
+uv run pre-commit install
+make check
+```
+
 ## Requirements
 
 - Python `>=3.11`

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are applied to the latest released version.
+
+## Reporting a Vulnerability
+
+Please report suspected vulnerabilities privately by emailing:
+
+- support@tinybird.co
+
+Do not open public issues for security vulnerabilities.
+
+When reporting, include:
+
+- A clear description of the issue
+- Impact assessment
+- Reproduction steps or proof of concept
+- Any suggested remediation
+
+We will acknowledge receipt as soon as possible and follow up with remediation status.

pyproject.toml

@@ -3,13 +3,29 @@ name = "tinybird-sdk"
 version = "0.1.9"
 description = "Python SDK for Tinybird Forward"
 readme = "README.md"
+license = "MIT"
 authors = [
     { name = "Tinybird", email = "support@tinybird.co" }
 ]
 requires-python = ">=3.11"
 dependencies = [
     "tinybird==4.5.0",
 ]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Software Development :: Libraries",
+]
+
+[project.urls]
+Homepage = "https://github.com/tinybirdco/tinybird-sdk-python"
+Repository = "https://github.com/tinybirdco/tinybird-sdk-python"
+Issues = "https://github.com/tinybirdco/tinybird-sdk-python/issues"
+Changelog = "https://github.com/tinybirdco/tinybird-sdk-python/blob/main/CHANGELOG.md"
 
 [project.scripts]
 tinybird = "tinybird_sdk.cli.index:main"
@@ -23,7 +39,33 @@ pythonpath = ["src"]
 addopts = "-q"
 testpaths = ["tests"]
 
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+src = ["src", "tests"]
+extend-exclude = ["tests/fixtures/**"]
+
+[tool.ruff.lint]
+select = ["E", "F"]
+ignore = ["E501", "F401"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
+[tool.mypy]
+python_version = "3.11"
+files = ["src"]
+warn_unused_configs = true
+warn_redundant_casts = true
+warn_unused_ignores = true
+pretty = true
+ignore_missing_imports = true
+
 [dependency-groups]
 dev = [
+    "mypy>=1.18.2",
+    "pre-commit>=4.3.0",
     "pytest>=9.0.2",
+    "ruff>=0.13.2",
 ]

src/tinybird_sdk/_http.py

@@ -157,7 +157,9 @@ def create_multipart_body(
         )
 
     for field_name, filename, content, explicit_content_type in files:
-        content_type = explicit_content_type or mimetypes.guess_type(filename)[0] or "application/octet-stream"
+        content_type = (
+            explicit_content_type or mimetypes.guess_type(filename)[0] or "application/octet-stream"
+        )
         lines.extend(
             [
                 f"--{boundary}".encode(),