Modernize project structure and CI workflows

Adopt python-repo-template best practices: update Makefile with comprehensive targets, switch to poetry-core, add black and flake8 for code quality, and move tests to the repo root. Overhaul GitHub Actions workflows (CI, Snyk, secrets scan, stale issues), improve dependabot config, and add cursor rules for development standards. Update README, LICENSE, and CHANGELOG to reflect new structure and tooling.

Author: kyhau

.codecov.yml

@@ -2,7 +2,6 @@ coverage:
   precision: 2
   round: down
   range: 70...100
-
   status:
     project: true
     patch: false

.cursor/rules/general-standards.mdc

@@ -0,0 +1,59 @@
+---
+description: General coding standards (language-agnostic)
+globs: ["**/*"]
+alwaysApply: true
+---
+
+# General Coding Standards
+
+## Documentation & Instructions
+
+- **Be concise** - Instructions, rules, and documentation should be brief and actionable
+- **Focus on essentials** - Include only what's necessary, remove verbose explanations
+
+## File Formatting
+
+- **End files with newline** - POSIX standard, required for Git diffs
+- **Use LF (`\n`) line endings** - Not CRLF (`\r\n`), except `.bat`/`.cmd` files
+- **No trailing whitespace** - Remove spaces/tabs at end of lines
+- **Consistent indentation** - Spaces or tabs, never mixed
+
+## File Naming
+
+- **Lowercase with hyphens** - `my-file.txt` not `My-File.txt`
+- **Be descriptive** - `user-authentication.py` not `auth.py`
+- **Avoid special characters** - Use only `a-z`, `0-9`, `-`, `_`, `.`
+
+**Exceptions:**
+- Python: `snake_case.py`
+- JavaScript/TypeScript: `PascalCase.tsx`
+
+## Git
+
+**Commits:**
+- Atomic (one change per commit)
+- Present tense messages ("Add feature" not "Added feature")
+- Include issue numbers (`Fixes #123`)
+
+**Never commit:**
+- ❌ Build artifacts (`dist/`, `build/`)
+- ❌ Dependencies (`node_modules/`, `.venv/`)
+- ❌ IDE files (`.vscode/`, `.idea/`)
+- ❌ OS files (`.DS_Store`, `Thumbs.db`)
+- ❌ Secrets or credentials
+
+## Security
+
+- **Never commit secrets** - Use environment variables
+- **Pin dependency versions** - Use exact versions
+- **Use secret scanners** - gitleaks, truffleHog
+- **Security scanning** - Snyk, Dependabot
+
+## Before Committing
+
+- [ ] Tests pass
+- [ ] No linter errors
+- [ ] No trailing whitespace
+- [ ] Newline at end of files
+- [ ] No debug code
+- [ ] Documentation updated

.cursor/rules/makefile-python.mdc

@@ -0,0 +1,90 @@
+---
+description: Makefile-based development workflow for Python projects using Poetry
+globs: ["Makefile", "pyproject.toml", "**/*.py"]
+alwaysApply: true
+---
+
+# Python Project Development Workflow
+
+## Available Makefile Targets
+
+### Setup
+- `make setup-init` - Complete first-time setup (configure venv, lock, install all deps)
+- `make setup-venv` - Configure Poetry to use .venv in project directory
+
+### Installation
+- `make install` - Install main dependencies only
+- `make install-dev` - Install main + dev dependencies
+- `make install-test` - Install main + test dependencies
+- `make install-all` - Install all dependencies (main + dev + test)
+
+### Dependency Management
+- `make lock` - Regenerate poetry.lock from pyproject.toml
+- `make update-deps` - Update dependencies to latest compatible versions
+
+### Testing
+- `make test` - Run unit tests without coverage
+- `make test-with-coverage` - Run unit tests with coverage reporting
+
+### Code Quality
+- `make lint-python` - Lint Python code with flake8
+- `make lint-yaml` - Lint YAML files with yamllint
+- `make format-python` - Format Python code with black
+- `make pre-commit` - Run all quality checks (format, lint, test)
+
+### Build
+- `make build` - Build the Python package
+
+### Cleanup
+- `make clean` - Clean test artifacts, build artifacts and temporary files
+- `make clean-all` - Clean everything including virtual environment
+
+### Help
+- `make help` - Show all available targets
+
+## Project Setup
+
+**Quick Start:**
+```bash
+make setup-init              # Complete first-time setup
+make test-with-coverage      # Verify installation
+```
+
+## Python Environment
+- **Poetry** - Dependency management
+- **Python 3.10+** - Minimum version (supports 3.10, 3.11, 3.12, 3.13)
+- **`.venv/`** - Virtual environment (project-local)
+- **Dependencies** in `pyproject.toml`:
+  - Main: boto3, click, InquirerPy
+  - Test: pytest, pytest-cov, pytest-mock, coverage, mock
+  - Dev: black, flake8, yamllint
+
+## Development Workflow
+
+**Daily development:**
+```bash
+# 1. Make code changes
+# 2. Run all quality checks before committing
+make pre-commit             # Format, lint, and test everything
+# Or run individual checks:
+make format-python          # Auto-format
+make lint-python            # Lint Python
+make lint-yaml              # Lint YAML
+make test-with-coverage     # Test with coverage
+make clean                  # Remove artifacts
+```
+
+## Project Structure
+- Main package: `saml2awsmulti/`
+- Tests: `tests/`
+- CLI entry point: `awslogin` (defined in pyproject.toml)
+- Configuration: `pyproject.toml`
+
+## CLI Tool Usage
+After installation with `pip install .` or `pipx install .`:
+```bash
+awslogin                    # Main CLI tool
+awslogin --help             # Show help
+awslogin switch             # Switch AWS profile
+awslogin whoami             # Show current identity
+```

.cursor/rules/makefile-workflow.mdc

@@ -1,5 +1,6 @@
 version: 2
 updates:
+  # GitHub Actions dependencies
   - package-ecosystem: github-actions
     directory: "/"
     groups:
@@ -11,18 +12,7 @@ updates:
       time: "08:00"
       timezone: Australia/Melbourne
 
-  - package-ecosystem: pip
-    directory: "/"
-    groups:
-      all-dependencies:
-        patterns:
-          - "*"
-    schedule:
-      interval: weekly
-      time: "09:00"
-      timezone: Australia/Melbourne
-    open-pull-requests-limit: 1
-
+  # Python dependencies managed by Poetry
   - package-ecosystem: poetry
     directory: "/"
     groups:
@@ -31,6 +21,6 @@ updates:
           - "*"
     schedule:
       interval: weekly
-      time: "09:30"
+      time: "08:00"
       timezone: Australia/Melbourne
     open-pull-requests-limit: 1

.github/dependabot.yml

@@ -1,38 +1,64 @@
-name: Build and Test
+name: CI
+run-name: CI @ ${{ github.ref_name }}
 
 on:
   push:
-    paths-ignore:
-      - '**.json'
-      - '**.md'
+    branches: [main, master]
+    paths:
+      - .github/**
+      - saml2awsmulti/**
+      - Makefile
+      - poetry.lock
+      - pyproject.toml
+  pull_request:
+    branches: [main, master]
+    paths:
+      - .github/**
+      - saml2awsmulti/**
+      - Makefile
+      - poetry.lock
+      - pyproject.toml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
 
 defaults:
   run:
     shell: bash
 
 jobs:
   lint:
-    name: Run yamllint on workflows
+    name: Lint code
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: "3.13"
+
       - name: Install Poetry
-        run: pip install poetry
-      - name: Install yamllint
-        run: poetry install --only dev
-      - name: Run yamllint
-        run: make yamllint
+        uses: snok/install-poetry@v1
+        with:
+          version: latest
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Lint YAML
+        run: make lint-yaml
+
+      - name: Lint Python
+        run: make lint-python
 
-  build:
+  test:
     needs: lint
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - name: Checkout source
@@ -44,10 +70,10 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install dependencies
-        run: make install-test-deps
+        run: make install-test
 
       - name: Run tests with coverage
-        run: make test-coverage
+        run: make test-with-coverage
 
       - name: Upload coverage to Codecov
         if: matrix.python-version == '3.13'

.github/workflows/build-and-test.yml .github/workflows/ci.yml.github/workflows/build-and-test.yml renamed to .github/workflows/ci.yml

@@ -2,7 +2,7 @@ name: CodeQL
 
 on:
   push:
-    branches: [main]
+    branches: [main, master]
   schedule:
     - cron: '0 19 * * 5'
 

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,5 @@
 name: Dependabot auto-approve auto-merge
+
 on: pull_request
 
 permissions:

.github/workflows/dependabot-auto-approve-merge.yml

@@ -2,6 +2,10 @@ name: Secrets Scan
 
 on: [push, workflow_dispatch]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   Gitleaks:
     name: Gitleaks Secrets Scan

.github/workflows/secrets-scan.yml

@@ -0,0 +1,35 @@
+name: Snyk Checks
+
+on:
+  push:
+    branches: [main, master]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  security:
+    name: Run Snyk to check for vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v5
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/python@master
+        continue-on-error: true  # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --severity-threshold=high --sarif-file-output=snyk.sarif
+
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: snyk.sarif