From 497aa741698d6e33e6168290707909e73da5032f Mon Sep 17 00:00:00 2001
From: James Williams <29534093+williajm@users.noreply.github.com>
Date: Tue, 14 Apr 2026 20:54:06 +0100
Subject: [PATCH 1/2] security: Harden release workflow (repo guard +
 SHA256SUMS)

Align with the security baseline used in williajm/mcp_docker:

- Add `if: github.repository == 'williajm/forgery'` to every job so
  forks can't run the release workflow (belt-and-suspenders with the
  trusted-publisher binding and the pypi environment's branch/tag
  policy).
- Generate SHA256SUMS.txt from the collected dist/* artifacts in the
  publish job, place it at the workspace root (outside dist/ so PyPI
  does not receive it), and upload it to the GitHub release.
- Add `contents: write` to the publish job's permissions explicitly
  so `gh release upload` works for both the SBOM and the new
  SHA256SUMS upload (job-level permissions replace workflow-level).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d0c89c8..ce20ae7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,7 @@ jobs:
   build-wheels:
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    if: github.repository == 'williajm/forgery'
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -44,6 +45,7 @@ jobs:
   build-sdist:
     name: Build source distribution
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -62,6 +64,7 @@ jobs:
   sbom:
     name: Generate SBOM
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -89,12 +92,14 @@ jobs:
     name: Publish to PyPI
     needs: [build-wheels, build-sdist, sbom]
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     environment:
       name: pypi
       url: https://pypi.org/p/forgery
     permissions:
       id-token: write
       attestations: write
+      contents: write
 
     steps:
       - name: Download all artifacts
@@ -108,6 +113,14 @@ jobs:
         with:
           name: sbom
 
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist
+          sha256sum *.whl *.tar.gz > ../SHA256SUMS.txt
+          cd ..
+          echo "SHA256 checksums:"
+          cat SHA256SUMS.txt
+
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
@@ -123,3 +136,8 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --clobber
+
+      - name: Upload SHA256SUMS to GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --clobber

From 0d3f7ad1280670e67769ebc581d54127c38a115c Mon Sep 17 00:00:00 2001
From: James Williams <29534093+williajm@users.noreply.github.com>
Date: Tue, 14 Apr 2026 21:06:14 +0100
Subject: [PATCH 2/2] security: Bump pytest to 9.0.3

Fixes CVE-2025-71176 (pytest through 9.0.2 uses predictable
/tmp/pytest-of-{user} directory name, allowing local DoS or
privilege escalation).

Regenerated requirements-dev.txt via:
  uv pip compile pyproject.toml --extra dev --universal \
    --generate-hashes --upgrade-package pytest \
    --exclude-newer <3 days ago>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 requirements-dev.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements-dev.txt b/requirements-dev.txt
index 1f7ddc6..97ffe60 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv pip compile pyproject.toml --extra dev --universal --generate-hashes -o requirements-dev.txt
+#    uv pip compile pyproject.toml --extra dev --universal --generate-hashes --exclude-newer 2026-04-11T00:00:00Z -o requirements-dev.txt
 bandit==1.9.4 \
     --hash=sha256:b589e5de2afe70bd4d53fa0c1da6199f4085af666fde00e8a034f152a52cd628 \
     --hash=sha256:f89ffa663767f5a0585ea075f01020207e966a9c0f2b9ef56a57c7963a3f6f8e
@@ -358,9 +358,9 @@ pygments==2.20.0 \
     # via
     #   pytest
     #   rich
-pytest==9.0.2 \
-    --hash=sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b \
-    --hash=sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11
+pytest==9.0.3 \
+    --hash=sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9 \
+    --hash=sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c
     # via
     #   forgery (pyproject.toml)
     #   pytest-asyncio