diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b563acf..d3d22b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ permissions: jobs: ci: name: CI Pipeline - uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' coverage-threshold: 80 @@ -54,7 +54,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: '' diff --git a/.github/workflows/cifuzzy.yml b/.github/workflows/cifuzzy.yml index 5196a49..cda7371 100644 --- a/.github/workflows/cifuzzy.yml +++ b/.github/workflows/cifuzzy.yml @@ -43,7 +43,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -69,7 +69,7 @@ jobs: - name: Upload SARIF if: always() - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif category: fuzzing-${{ matrix.sanitizer }} diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 8f01ca2..f8209e0 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -24,7 +24,7 @@ jobs: name: Upload Coverage # Only run on successful CI completion if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: artifact-name: 'coverage-reports' coverage-files: '*.xml' @@ -41,7 +41,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # NOTE: tighten to block after 2026-06-30 (cross-workflow egress migration). diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 653fbf5..4c03823 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -60,13 +60,13 @@ jobs: run: uv sync --no-dev - name: Initialize CodeQL - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: python build-mode: none queries: security-extended,security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: category: "/language:python" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 4ffcf88..a2da423 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -23,7 +23,7 @@ jobs: upload-coverage: name: Upload Coverage to Qlty if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: coverage-artifact-name: coverage-reports coverage-file-path: coverage.xml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 98ba62c..d3c8c20 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -28,7 +28,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # NOTE: tighten to block after 2026-06-30 (cross-workflow egress migration). diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bf8c494..0d0c5a4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -33,7 +33,7 @@ concurrency: jobs: docs: name: Build & Deploy Docs - uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' deploy-to-pages: >- diff --git a/.github/workflows/fips-compatibility.yml b/.github/workflows/fips-compatibility.yml index 875c3f3..0a938c8 100644 --- a/.github/workflows/fips-compatibility.yml +++ b/.github/workflows/fips-compatibility.yml @@ -56,7 +56,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: tighten to block after 2026-06-30 @@ -210,7 +210,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: tighten to block after 2026-06-30 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 16a6f02..71ac06a 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -29,7 +29,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 2379610..c7441af 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -33,7 +33,7 @@ jobs: contents: read pull-requests: write checks: write - uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' coverage-threshold: 80 @@ -50,7 +50,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden the runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # uv sync needs PyPI + Python.org + GitHub; audit catches needed endpoints. TODO: tighten to block with allowed-endpoints after 2026-06-30 @@ -92,7 +92,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden the runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # lychee validates external doc URLs across many hosts; block mode is incompatible @@ -129,7 +129,7 @@ jobs: if: always() steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 49f2903..98a17fc 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -26,7 +26,7 @@ jobs: # was silently ignored. Environment scoping for OIDC trusted publishing # must be applied INSIDE the reusable's publish job; tracked as an # upstream enhancement against ByronWilliamsCPA/.github. - uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' package-name: 'audio-processor' diff --git a/.github/workflows/python-compatibility.yml b/.github/workflows/python-compatibility.yml index f29071c..a5b6835 100644 --- a/.github/workflows/python-compatibility.yml +++ b/.github/workflows/python-compatibility.yml @@ -36,7 +36,7 @@ permissions: jobs: compatibility: name: Python Compatibility Matrix - uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-versions: '["3.11", "3.12", "3.13"]' include-windows: true diff --git a/.github/workflows/qlty.yml b/.github/workflows/qlty.yml index becc70c..b1d86fb 100644 --- a/.github/workflows/qlty.yml +++ b/.github/workflows/qlty.yml @@ -15,7 +15,7 @@ concurrency: jobs: qlty: if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main permissions: contents: read actions: read diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 3a9e14a..085d62c 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -17,7 +17,7 @@ jobs: id-token: write steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6a0ffa..4490c44 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,7 +52,7 @@ jobs: if: >- (github.event_name == 'workflow_dispatch' && (github.ref_name == 'main' || github.ref_name == 'master')) || github.event.workflow_run.conclusion == 'success' - uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' coverage-threshold: 80 diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 9ca514e..a383c58 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -29,7 +29,7 @@ concurrency: jobs: reuse: name: REUSE Compliance Check - uses: ByronWilliamsCPA/.github/.github/workflows/python-reuse.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-reuse.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: generate-spdx: true fail-on-missing: true @@ -47,7 +47,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: '' diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a557839..ba01041 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -41,7 +41,7 @@ concurrency: jobs: sbom: name: SBOM & Security - uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: python-version: '3.12' fail-on-vulnerabilities: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f24cd65..cdcfc40 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,7 +26,7 @@ permissions: jobs: scorecard: name: Scorecard Analysis - uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: publish-results: true upload-sarif: true diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml index 0661019..7d893b7 100644 --- a/.github/workflows/security-analysis.yml +++ b/.github/workflows/security-analysis.yml @@ -33,7 +33,7 @@ permissions: jobs: security: name: Security Analysis - uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: source-directory: 'src' python-version: '3.12' diff --git a/.github/workflows/slsa-provenance.yml b/.github/workflows/slsa-provenance.yml index 0fcb890..3b9f032 100644 --- a/.github/workflows/slsa-provenance.yml +++ b/.github/workflows/slsa-provenance.yml @@ -41,7 +41,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: # The SLSA build job runs in block mode for reproducibility. # The allowed-endpoints list covers: @@ -112,7 +112,7 @@ jobs: slsa: name: SLSA Level 3 needs: [build] - uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@799ebd63e16aba0236ceded915f5c1cac20823b3 # main + uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main with: base64-subjects: ${{ needs.build.outputs.hashes }} upload-assets: true diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 58139ba..af16933 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -52,7 +52,7 @@ jobs: has-token: ${{ steps.check.outputs.has-token }} steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: tighten to block after 2026-06-30 @@ -80,7 +80,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: tighten to block after 2026-06-30 @@ -130,7 +130,7 @@ jobs: fi - name: SonarCloud Scan - uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0 + uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed for PR decoration SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SonarCloud authentication diff --git a/.github/workflows/validate-cruft.yml b/.github/workflows/validate-cruft.yml index 8dfcfd8..e6093ca 100644 --- a/.github/workflows/validate-cruft.yml +++ b/.github/workflows/validate-cruft.yml @@ -35,7 +35,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # NOTE: tighten to block after 2026-06-30 as part of the cross-workflow