Skip to content

chore: merge next release #1051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jenstroeger merged 20 commits into from
Dec 3, 2025
Merged

chore: merge next release #1051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
1c4e34a
fix(ci): temporarily ignore GHSA-4xh5-x5gv-qwph (CVE-2025-8869) until…
jenstroeger Oct 15, 2025
29c0af9
chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#1011)
dependabot[bot] Dec 3, 2025
c0e42fe
chore(deps): bump pytest-env from 1.1.5 to 1.2.0 (#1017)
dependabot[bot] Dec 3, 2025
741c764
chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1024)
dependabot[bot] Dec 3, 2025
fcfe9b8
chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#1025)
dependabot[bot] Dec 3, 2025
4a88d71
chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (…
dependabot[bot] Dec 3, 2025
fceeaaf
chore(deps-dev): bump faker from 37.6.0 to 38.2.0 (#1040)
dependabot[bot] Dec 3, 2025
35d6c25
chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#1042)
dependabot[bot] Dec 3, 2025
f4f59cd
chore(deps): bump github/codeql-action from 3.30.3 to 4.31.5 (#1047)
dependabot[bot] Dec 3, 2025
5eddc63
chore(deps-dev): update mypy requirement from <1.19,>=1.0.0 to >=1.0.…
dependabot[bot] Dec 3, 2025
0712e06
chore(deps-dev): update pre-commit requirement from <4.4.0,>=3.0.0 to…
dependabot[bot] Dec 3, 2025
473f8e7
chore(deps-dev): bump commitizen from 4.9.1 to 4.10.0 (#1036)
dependabot[bot] Dec 3, 2025
58abebd
chore(deps-dev): bump pytest-doctestplus from 1.4.0 to 1.6.0 (#1041)
dependabot[bot] Dec 3, 2025
a55a621
chore(deps-dev): update hypothesis requirement from <6.138.17,>=6.21.…
dependabot[bot] Dec 3, 2025
de66293
chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 (#1046)
dependabot[bot] Dec 3, 2025
2afde25
chore(deps): update pylint requirement from <3.4.0,>=3.0.0 to >=3.0.0…
dependabot[bot] Dec 3, 2025
0bceaf0
fix(ci): undo temporary ignore of GHSA-4xh5-x5gv-qwph (CVE-2025-8869)…
jenstroeger Dec 3, 2025
1b34fdd
feat: using pytest as a test runner, diversify the tests into unit, i…
jenstroeger Dec 3, 2025
7bad14b
fix: invoke flit through the Python interpreter’s module-call argumen…
jenstroeger Dec 3, 2025
d72c795
chore(deps-dev): update pre-commit tools (#1050)
jenstroeger Dec 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/_build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,18 +55,18 @@ jobs:
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: ${{ matrix.python }}

Expand Down Expand Up @@ -134,7 +134,7 @@ jobs:
# Currently reusable workflows do not support setting strategy property from the caller workflow.
- name: Upload the package artifact for debugging and release
if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
path: dist
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/_generate-rebase.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,12 @@ jobs:
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0
token: ${{ secrets.REPO_ACCESS_TOKEN }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/_wiki-documentation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,23 +41,23 @@ jobs:
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

# Check out the repository's Wiki repo into the wiki/ folder. The token is required
# only for private repositories.
- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
token: ${{ secrets.REPO_ACCESS_TOKEN }}
repository: ${{ format('{0}.wiki', github.repository) }}
path: wiki

# Download the build artifacts attached to this workflow run.
- name: Download artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.artifact-name }}
path: dist
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,16 @@ jobs:
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: ${{ matrix.python }}

Expand All @@ -54,7 +54,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
with:
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yaml
Expand All @@ -67,4 +67,4 @@ jobs:
# queries: ./path/to/local/query, your-org/your-repo/queries@main

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
6 changes: 3 additions & 3 deletions .github/workflows/pr-conventional-commits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@
steps:

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: '3.13'

Expand All @@ -36,7 +36,7 @@
- name: Set up Commitizen
run: |
pip install --upgrade pip wheel
pip install 'commitizen ==4.9.1'
pip install 'commitizen ==4.10.0'

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 6: pipCommand not pinned by hash
Click Remediation section below to solve this issue
# Run Commitizen to check the title of the PR which triggered this workflow, and check
# all commit messages of the PR's branch. If any of the checks fails then this job fails.
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,26 +30,26 @@
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0
token: ${{ secrets.REPO_ACCESS_TOKEN }}

- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: '3.13'

- name: Set up Commitizen
run: |
pip install --upgrade pip wheel
pip install 'commitizen ==4.9.1'
pip install 'commitizen ==4.10.0'

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 6: pipCommand not pinned by hash
Click Remediation section below to solve this issue
- name: Set up user
run: |
Expand Down Expand Up @@ -98,18 +98,18 @@
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0

- name: Download artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: artifact-ubuntu-latest-python-3.13
path: dist
Expand All @@ -126,14 +126,14 @@
# Create the Release Notes using commitizen.
- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: '3.13'

- name: Set up Commitizen
run: |
pip install --upgrade pip wheel
pip install 'commitizen ==4.9.1'
pip install 'commitizen ==4.10.0'

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 6: pipCommand not pinned by hash
Click Remediation section below to solve this issue
- name: Create Release Notes
run: cz changelog --dry-run "$(cz version --project)" > RELEASE_NOTES.md
Expand Down Expand Up @@ -199,18 +199,18 @@
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0

- name: Download provenance
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ needs.provenance.outputs.provenance-name }}

Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/scorecards-analysis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,18 @@ jobs:
steps:

- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
disable-sudo: true

- name: Check out repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -52,13 +52,13 @@ jobs:

# Upload the results as artifacts (optional).
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: SARIF file
path: results.sarif

# Upload the results to GitHub's code scanning dashboard.
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
with:
sarif_file: results.sarif
4 changes: 2 additions & 2 deletions .github/workflows/sync-with-upstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
steps:

- name: Check out template repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
# If you decide to change the upstream template repository to a private one, uncomment
# the following argument to pass the required token to be able to check it out.
Expand All @@ -31,7 +31,7 @@ jobs:
path: template

- name: Check out current repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
token: ${{ secrets.REPO_ACCESS_TOKEN }}
fetch-depth: 0
Expand Down
24 changes: 12 additions & 12 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@ repos:

# Commitizen enforces semantic and conventional commit messages.
- repo: https://github.com/commitizen-tools/commitizen
rev: v4.9.1
rev: v4.10.0
hooks:
- id: commitizen
name: Check conventional commit message
stages: [commit-msg]

# Sort imports.
- repo: https://github.com/pycqa/isort
rev: 6.0.1
rev: 7.0.0
hooks:
- id: isort
name: Sort import statements
Expand All @@ -32,7 +32,7 @@ repos:

# Add Black code formatters.
- repo: https://github.com/ambv/black
rev: 25.9.0
rev: 25.11.0
hooks:
- id: black
name: Format code
Expand All @@ -43,11 +43,11 @@ repos:
- id: blacken-docs
name: Format code in docstrings
args: [--line-length, '120']
additional_dependencies: [black==25.9.0]
additional_dependencies: [black==25.11.0]

# Upgrade and rewrite Python idioms.
- repo: https://github.com/asottile/pyupgrade
rev: v3.20.0
rev: v3.21.2
hooks:
- id: pyupgrade
name: Upgrade code idioms
Expand All @@ -63,7 +63,7 @@ repos:
name: Check flake8 issues
files: ^src/package/|^tests/
types: [text, python]
additional_dependencies: [flake8-bugbear==24.12.12, flake8-builtins==3.0.0, flake8-comprehensions==3.17.0, flake8-docstrings==1.7.0, flake8-logging==1.8.0, flake8-mutable==1.2.0, flake8-noqa==1.4.0, flake8-print==5.0.0, flake8-pyi==25.5.0, flake8-pytest-style==2.1.0, flake8-rst-docstrings==0.3.1, pep8-naming==0.15.1]
additional_dependencies: [flake8-bugbear==25.11.29, flake8-builtins==3.1.0, flake8-comprehensions==3.17.0, flake8-docstrings==1.7.0, flake8-logging==1.8.0, flake8-mutable==1.2.0, flake8-noqa==1.4.0, flake8-print==5.0.0, flake8-pyi==25.5.0, flake8-pytest-style==2.2.0, flake8-rst-docstrings==0.4.0, pep8-naming==0.15.1]
args: [--config, .flake8]

# Run Pylint from the local repo to make sure venv packages
Expand All @@ -87,11 +87,11 @@ repos:
language: python
files: ^src/package/|^tests/
types: [text, python]
args: [--config-file, pyproject.toml]
args: [--explicit-package-bases, --config-file, pyproject.toml]

# Check for potential security issues.
- repo: https://github.com/PyCQA/bandit
rev: 1.8.6
rev: 1.9.2
hooks:
- id: bandit
name: Check for security issues
Expand Down Expand Up @@ -156,18 +156,18 @@ repos:

# Check GitHub Actions workflow files.
- repo: https://github.com/Mateusz-Grzelinski/actionlint-py
rev: v1.7.7.24
rev: v1.7.9.24
hooks:
- id: actionlint

# On push to the remote, run the unit tests. Note that the `COVERAGE_CORE` variable is
# required for Python 3.12+ to make sure Coverage uses the new Python monitoring module.
# On push to the remote, run all tests. Note that the `COVERAGE_CORE` variable is required
# for Python 3.12+ to make sure Coverage uses the new Python monitoring module.
# See also: https://blog.trailofbits.com/2025/05/01/making-pypis-test-suite-81-faster/#optimizing-coverage-with-python-312s-sysmonitoring
- repo: local
hooks:
- id: pytest
name: Run unit tests
entry: env COVERAGE_CORE=sysmon pytest -c pyproject.toml --cov-config pyproject.toml src/package/ tests/ docs/
entry: env COVERAGE_CORE=sysmon pytest --config-file pyproject.toml --cov-config pyproject.toml -m 'not integration and not performance' src/package/ tests/ docs/
language: python
verbose: true
always_run: true
Expand Down
Loading
Loading