fnk0c · rios0rios0 · Mar 21, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 21, 2026
diff --git a/.ci/40-delivery/app.Dockerfile b/.ci/40-delivery/app.Dockerfile
diff --git a/.ci/stages/40-delivery/app.Dockerfile b/.ci/stages/40-delivery/app.Dockerfile
@@ -0,0 +1,35 @@
+FROM python:3.10-slim-bullseye AS builder
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends gcc libpq-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl
+
+FROM python:3.10-slim-bullseye
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        curl gnupg2 lsb-release && \
+    echo "deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
+        > /etc/apt/sources.list.d/pgdg.list && \
+    curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
+        | gpg --dearmor -o /etc/apt/trusted.gpg.d/postgresql.gpg && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libpq5 postgresql-client-17 && \
+    apt-get purge -y --auto-remove curl gnupg2 lsb-release && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/local/lib/python3.10/site-packages /usr/local/lib/python3.10/site-packages
+COPY --from=builder /usr/local/bin /usr/local/bin
+
+RUN useradd --create-home appuser
+USER appuser
+WORKDIR /home/appuser
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+    CMD ["python", "-c", "import database_sync; print('ok')"]
+
+ENTRYPOINT ["python", "-m", "database_sync"]
diff --git a/INSTALL_PG_DUMP.md → .docs/INSTALL_PG_DUMP.md b/INSTALL_PG_DUMP.md → .docs/INSTALL_PG_DUMP.md
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,5 +1,6 @@
 ## :vertical_traffic_light: Quality checklist
 
 - [ ] Did you add the changes in the `CHANGELOG.md`? (don't forget the GitHub issue link!)
-- [ ] Did you run all the code checks? (`pdm run black .`, `pdm run isort .`, `pdm run flake8 .`)
-- [ ] Are the tests passing?
+- [ ] Did you run all the code checks? (`make lint`)
+- [ ] Did you run the security checks? (`make sast`)
+- [ ] Are the tests passing? (`make test`)
diff --git a/.github/pull_request_template/default.md b/.github/pull_request_template/default.md
@@ -1,5 +1,6 @@
 ## :vertical_traffic_light: Quality checklist
 
 - [ ] Did you add the changes in the `CHANGELOG.md`? (don't forget the GitHub issue link!)
-- [ ] Did you run all the code checks? (`pdm run black .`, `pdm run isort .`, `pdm run flake8 .`)
-- [ ] Are the tests passing?
+- [ ] Did you run all the code checks? (`make lint`)
+- [ ] Did you run the security checks? (`make sast`)
+- [ ] Are the tests passing? (`make test`)
diff --git a/.github/workflows/default.yaml b/.github/workflows/default.yaml
@@ -11,10 +11,14 @@ on:
       - 'main'
   workflow_dispatch:
 
-#permissions:
-#  checks: 'write' # code_check-style_golangci_lint
-#  contents: 'write' # delivery-release
+permissions:
+  contents: 'write'
+  packages: 'write'
+  security-events: 'write'
 
 jobs:
-  default:
+  ci:
+    uses: 'rios0rios0/pipelines/.github/workflows/python.yaml@main'
+
+  docker:
     uses: 'rios0rios0/pipelines/.github/workflows/python-docker.yaml@main'
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.13.12
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,23 +17,42 @@ Exceptions are acceptable depending on the circumstances (critical bug fixes tha
 
 ## [Unreleased]
 
-### Added 
+### Added
 
 - added required versions of jinja2 `3.1.6` and cryptography `44.0.1` to avoid vulnerabilities
+- added `Makefile` integrating `rios0rios0/pipelines` for standardized `make lint`, `make test`, and `make sast` targets
+- added multi-stage `app.Dockerfile` at `.ci/stages/40-delivery/` for Docker delivery with semver tagging
+- added full CI pipeline (`python.yaml`) with code checks, security scanning, and tests to the GitHub Actions workflow
 
 ### Changed
 
-- updated required Python version from `3.9` to `3.9.2` for compatibility with the new cryptography version
+- updated required Python version from `3.9` to `3.13.12`
 - updated safety version from `3.0.1` to `3.5.1` to address vulnerabilities
+- updated build backend from deprecated `pdm-pep517` to `pdm-backend`
+- renamed `safety-check` script to `safety-scan` to match the pipelines convention
+- updated PR templates to reference `make lint`, `make test`, and `make sast` instead of manual `pdm run` commands
 
-### Fixed 
+### Fixed
 
+- fixed Trivy DS-0026 by adding `HEALTHCHECK` to `app.Dockerfile` and removing the old Dockerfile at `.ci/40-delivery/`
 - fixed missing exclude table command for the id_seq of the table ignored
 - fixed dropping the id_seq table for the ignored table
 
+### Security
+
+- updated `urllib3` from `2.2.2` to `2.6.3` to fix CVE-2025-50612 and 4 other vulnerabilities
+- updated `cryptography` from `45.0.2` to `46.0.5` to fix CVE-2026-26007
+- updated `authlib` from `1.3.2` to `1.6.9` to fix CVE-2025-59420, CVE-2025-68158, CVE-2025-61920, and CVE-2025-62706
+- updated `requests` from `2.32.3` to `2.32.5` to fix known vulnerability
+- updated `setuptools` from `74.0.0` to `82.0.1` to fix path traversal vulnerability
+- updated `filelock` from `3.16.1` to `3.19.1` to fix 3 known vulnerabilities
+- updated `marshmallow` from `3.22.0` to `4.0.1` to fix known vulnerability
+- updated `regex` from `2024.11.6` to `2026.1.15` to fix known vulnerability
+
 ### Removed
 
 - removed not used `ignore-vulnerabilities` from safety policy
+- removed `export` script from `pyproject.toml` (inlined into `safety-scan`)
 
 ## [1.1.0] - 2024-10-01
 

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 fnk0c, rios0rios0
+Copyright (c) 2026 fnk0c, rios0rios0
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/Makefile b/Makefile
@@ -0,0 +1,3 @@
+SCRIPTS_DIR ?= $(HOME)/Development/github.com/rios0rios0/pipelines
+-include $(SCRIPTS_DIR)/makefiles/common.mk
+-include $(SCRIPTS_DIR)/makefiles/python.mk
diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ Before proceeding with the installation, ensure the following prerequisites are
 - **Docker**: Version 18.09 or higher. [Install Docker](https://docs.docker.com/install)
 - **Python**: Version 3.9.2 or higher. [Install Python](https://www.python.org/downloads/)
 - **PDM**: Version 2.11.2 or higher. [Install PDM](https://pdm-project.org/latest/#installation)
-- **pg_dump**: Version 17. [Install pg_dump](./INSTALL_PG_DUMP.md)
+- **pg_dump**: Version 17. [Install pg_dump](.docs/INSTALL_PG_DUMP.md)
 - **psycopg2**: Version 2.9.9. [Install psycopg](https://www.psycopg.org/docs/install.html)
 
 ### Installation Guide

diff --git a/horusec.json b/horusec.json