diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bddb90..943b395 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ permissions: jobs: ci: name: CI Pipeline - uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' coverage-threshold: 80 @@ -60,7 +60,7 @@ jobs: # egress-policy: block -- enabled 2026-05-23 (compliance audit). If a CI run fails on a network call, switch this single occurrence back to audit and capture the missing endpoint in the issue tracker. egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index e9f98d9..289e6ba 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -23,7 +23,7 @@ jobs: name: Upload Coverage # Only run on successful CI completion if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: artifact-name: 'coverage-reports' coverage-files: '*.xml' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8ad5ce4..66c3677 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,17 +39,17 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true @@ -57,13 +57,13 @@ jobs: run: uv sync --no-dev - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: python build-mode: none queries: security-extended,security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:python" diff --git a/.github/workflows/container-security.yml b/.github/workflows/container-security.yml index 11f3a46..ee0e93b 100644 --- a/.github/workflows/container-security.yml +++ b/.github/workflows/container-security.yml @@ -41,7 +41,7 @@ permissions: jobs: container-security: name: Container Security Scan - uses: ByronWilliamsCPA/.github/.github/workflows/python-container-security.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-container-security.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: dockerfile-path: 'Dockerfile' build-context: '.' diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 021aaa3..773b311 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -23,7 +23,7 @@ jobs: upload-coverage: name: Upload Coverage to Qlty if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: coverage-artifact-name: coverage-reports coverage-file-path: coverage.xml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index a3a5377..6a10c3e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -33,7 +33,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Dependency Review uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 67dbf34..3eb78db 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -29,7 +29,7 @@ permissions: jobs: docs: name: Build & Deploy Docs - uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' # rag-processor uses hatchling as build backend, so editable installs diff --git a/.github/workflows/fips-compatibility.yml b/.github/workflows/fips-compatibility.yml index 523fb7c..68cd7bb 100644 --- a/.github/workflows/fips-compatibility.yml +++ b/.github/workflows/fips-compatibility.yml @@ -61,10 +61,10 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true @@ -198,10 +198,10 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true diff --git a/.github/workflows/mutation-testing.yml b/.github/workflows/mutation-testing.yml index ec60e6e..6429c9e 100644 --- a/.github/workflows/mutation-testing.yml +++ b/.github/workflows/mutation-testing.yml @@ -35,7 +35,7 @@ permissions: jobs: mutation: name: Mutation Testing - uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' source-directory: 'src' diff --git a/.github/workflows/performance-regression.yml b/.github/workflows/performance-regression.yml index 7a8e2ea..50c90b8 100644 --- a/.github/workflows/performance-regression.yml +++ b/.github/workflows/performance-regression.yml @@ -59,7 +59,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Check for benchmark script id: check @@ -82,7 +82,7 @@ jobs: name: Performance Regression needs: check-benchmarks if: needs.check-benchmarks.outputs.has-benchmarks == 'true' - uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: benchmark-script: 'scripts/benchmark.py' python-version: '3.12' diff --git a/.github/workflows/postman-api-tests.yml b/.github/workflows/postman-api-tests.yml index 52d1115..eb2afbd 100644 --- a/.github/workflows/postman-api-tests.yml +++ b/.github/workflows/postman-api-tests.yml @@ -38,7 +38,7 @@ jobs: timeout-minutes: 15 services: redis: - image: redis:8-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1 + image: redis:8-alpine@sha256:9d317178eceac8454a2284a9e6df2466b93c745529947f0cd42a0fa9609d7005 ports: - 6379:6379 options: >- @@ -63,15 +63,15 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 67ab033..220277e 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -33,7 +33,7 @@ jobs: contents: read pull-requests: write checks: write - uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' coverage-threshold: 80 @@ -56,15 +56,15 @@ jobs: egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.12" - name: Install UV - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -99,7 +99,7 @@ jobs: egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Check documentation links uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 @@ -133,15 +133,15 @@ jobs: egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.12" - name: Install UV - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true cache-dependency-glob: "uv.lock" diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 3191dac..e716a5f 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -17,7 +17,7 @@ on: jobs: publish: name: Publish Package - uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' package-name: 'rag-processor' diff --git a/.github/workflows/python-compatibility.yml b/.github/workflows/python-compatibility.yml index 87d0625..1c6a439 100644 --- a/.github/workflows/python-compatibility.yml +++ b/.github/workflows/python-compatibility.yml @@ -41,7 +41,7 @@ permissions: jobs: compatibility: name: Python Compatibility Matrix - uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: # Match pyproject.toml `requires-python = ">=3.11,<3.15"`. Testing 3.10 # would fail on Python-3.11+ features the project actively uses (e.g. diff --git a/.github/workflows/qlty.yml b/.github/workflows/qlty.yml index 99a3193..dbfd214 100644 --- a/.github/workflows/qlty.yml +++ b/.github/workflows/qlty.yml @@ -22,7 +22,7 @@ jobs: # Coverage upload: runs after CI workflow completes successfully. qlty: if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main permissions: contents: read actions: read diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 1963c2f..ad59ab8 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install cosign uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1733b26..c752148 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,7 +49,7 @@ jobs: if: >- github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' - uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' coverage-threshold: 80 diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 7e6036c..1c251d5 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -28,7 +28,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: REUSE Compliance Check uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 @@ -59,7 +59,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Check primary license exists run: | diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 112d00c..973ace8 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -37,7 +37,7 @@ env: jobs: sbom: name: SBOM & Security - uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@e070932adbacf11d72cf6fab5962c9398621104c # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' fail-on-vulnerabilities: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b2981ac..f95cca6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,7 +26,7 @@ permissions: jobs: scorecard: name: Scorecard Analysis - uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: publish-results: true upload-sarif: true diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml index 6bc7ba4..9a7664e 100644 --- a/.github/workflows/security-analysis.yml +++ b/.github/workflows/security-analysis.yml @@ -33,7 +33,7 @@ permissions: jobs: security: name: Security Analysis - uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: source-directory: 'src' python-version: '3.12' diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index a2bc904..8390bfc 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -29,7 +29,7 @@ permissions: jobs: sonarcloud: name: SonarCloud Analysis - uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main with: python-version: '3.12' source-directory: 'src/rag_processor'