diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 640fe65..0b5cddc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,7 @@ jobs: steps.filter.outputs.shared == 'true' }} steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -79,7 +79,7 @@ jobs: python-version: ['3.10', '3.11', '3.12', '3.13'] steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -134,7 +134,7 @@ jobs: python-version: ['3.10', '3.11', '3.12', '3.13'] steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -185,7 +185,7 @@ jobs: contents: read steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -217,7 +217,7 @@ jobs: contents: read steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -250,7 +250,7 @@ jobs: contents: read steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 07c56cd..60b29bf 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -23,7 +23,7 @@ jobs: name: Upload Coverage # Only run on successful CI completion if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: artifact-name: 'coverage-reports' coverage-files: '*.xml' @@ -41,7 +41,7 @@ jobs: contents: read steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c3dd361..fba484f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 2fcb078..d3c142f 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -23,7 +23,7 @@ jobs: upload-coverage: name: Upload Coverage to Qlty if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: coverage-artifact-name: coverage-reports coverage-file-path: coverage.xml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ceae0f9..fd42889 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,7 +23,7 @@ jobs: pull-requests: write steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index a88804e..84772cd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -31,7 +31,7 @@ jobs: contents: write pages: write id-token: write - uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: python-version: '3.12' docs-directory: 'docs' diff --git a/.github/workflows/fips-compatibility.yml b/.github/workflows/fips-compatibility.yml index c17c94d..be0bc3c 100644 --- a/.github/workflows/fips-compatibility.yml +++ b/.github/workflows/fips-compatibility.yml @@ -54,7 +54,7 @@ jobs: permissions: contents: read pull-requests: write - uses: ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: strict-mode: ${{ github.event.inputs.strict_mode == 'true' }} include-tests: true diff --git a/.github/workflows/mutation-testing.yml b/.github/workflows/mutation-testing.yml index 1069687..3eaacdc 100644 --- a/.github/workflows/mutation-testing.yml +++ b/.github/workflows/mutation-testing.yml @@ -39,7 +39,7 @@ permissions: jobs: mutation: name: Mutation Testing - uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@main + uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: python-version: '3.12' source-directory: 'src' diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index e766e1a..d89b8c7 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -29,7 +29,7 @@ jobs: # Supplemental PR Checks (Changelog, Link Validation) # ========================================================================== supplemental-checks: - uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: # Changelog enforcement enable-changelog-check: true @@ -56,7 +56,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/publish-artifact-registry.yml b/.github/workflows/publish-artifact-registry.yml index 928abb9..4b7e0e8 100644 --- a/.github/workflows/publish-artifact-registry.yml +++ b/.github/workflows/publish-artifact-registry.yml @@ -62,7 +62,7 @@ jobs: id-token: write steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/python-compatibility.yml b/.github/workflows/python-compatibility.yml index 0784e15..6ac76c3 100644 --- a/.github/workflows/python-compatibility.yml +++ b/.github/workflows/python-compatibility.yml @@ -34,7 +34,7 @@ permissions: jobs: compatibility: - uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: python-versions: '["3.10", "3.11", "3.12", "3.13"]' operating-systems: '["ubuntu-latest"]' diff --git a/.github/workflows/qlty.yml b/.github/workflows/qlty.yml index 127338c..9a97793 100644 --- a/.github/workflows/qlty.yml +++ b/.github/workflows/qlty.yml @@ -15,7 +15,7 @@ concurrency: jobs: qlty: if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main permissions: contents: read actions: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 405ec43..38da20b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,7 +46,7 @@ jobs: contents: read steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -79,7 +79,7 @@ jobs: pull-requests: write steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c56a61a..02b3750 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -37,10 +37,12 @@ jobs: permissions: contents: read security-events: write - uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: python-version: '3.12' fail-on-vulnerabilities: true severity-threshold: 'CRITICAL,HIGH' artifact-retention-days: 90 fail-on-forbidden-licenses: false + # Repo uses hatchling; --no-build cannot install the editable root package + no-build: false diff --git a/.github/workflows/slsa-provenance.yml b/.github/workflows/slsa-provenance.yml index 1b1b0c4..c6b0f47 100644 --- a/.github/workflows/slsa-provenance.yml +++ b/.github/workflows/slsa-provenance.yml @@ -43,7 +43,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -100,7 +100,7 @@ jobs: slsa: name: SLSA Level 3 needs: [build] - uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: base64-subjects: ${{ needs.build.outputs.hashes }} upload-assets: true diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index e3d32d8..8d18c2b 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -32,7 +32,7 @@ permissions: jobs: sonarcloud: - uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@6bad2f898be1d387b8424e9deddefa519674cb19 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@987d517d3c8e4b180f4dd15de6d9575f0df91182 # main with: sonar-organization: williaby sonar-project-key: ByronWilliamsCPA_python-libs