Skip to content

chore: sync main with latest OSSF and container hardening#33

Closed
seonghobae wants to merge 15 commits into
mainfrom
develop
Closed

chore: sync main with latest OSSF and container hardening#33
seonghobae wants to merge 15 commits into
mainfrom
develop

Conversation

@seonghobae

@seonghobae seonghobae commented Apr 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • backport the latest develop-side OpenSSF, Docker, and fuzzing hardening into main
  • bring the stable branch up to the same container packaging, ClusterFuzzLite, provenance export, and scorecard policy level as develop
  • prepare main for the next tagged release after the OSSF and container work lands

seonghobae and others added 15 commits April 9, 2026 08:47
…cripts, workflows, and internal architecture
* fix: scope scorecards push to develop

* test: add enforced quality gate

* test: cover synthetic helper branches

* chore: add automated dependency updates

* docs: add security reporting policy

* ci: pin workflow dependencies

* ci: pin workflow actions and broaden PR checks

* ci: lock uv installs and PR workflow coverage

* ci: add release provenance workflow

* ci: force github actions to node24

* docs: record OpenSSF badge decision

* docs: add changelog baseline

* ci: pin workflow dependencies (#5)

* ci: pin workflow dependencies

* ci: pin workflow actions and broaden PR checks

* ci: lock uv installs and PR workflow coverage

* ci: add release provenance workflow (#6)

* ci: add release provenance workflow

* ci: force github actions to node24 (#7)

* ci: force github actions to node24

* docs: record OpenSSF badge decision (#11)

* docs: record OpenSSF badge decision

* docs: add changelog baseline (#12)

* ci: align gh-pages workflow with repo policies

* test: tighten review-driven regressions

* docs: tighten manual examples

* test: strengthen review follow-up assertions

* docs: align installation guidance with recommendation

* ci: add CircleCI quality gate

* ci: harden CircleCI uv install

* test: tighten remaining reviewer regressions

* docs: clarify supported Python range without implying 3.10-only use

* ci: harden docs deploy path for reproducible Pages builds

* ci: close remaining automation review gaps

* docs: keep dev install examples shell-safe and in sync

* ci: enable repo-local CodeRabbit approval workflow
Bumps the github-actions group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.35.1` | `4.35.1` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `6.8.0` | `8.0.0` |
| [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3.0.1` | `4.0.0` |
| [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.5` | `5.0.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.0` |
| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.4.0` | `4.1.0` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.0` | `2.4.3` |


Updates `actions/checkout` from 4.3.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

Updates `github/codeql-action` from 3.35.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

Updates `actions/setup-python` from 5.6.0 to 6.2.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...a309ff8)

Updates `astral-sh/setup-uv` from 6.8.0 to 8.0.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@d0cc045...cec2083)

Updates `actions/upload-pages-artifact` from 3.0.1 to 4.0.0
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](actions/upload-pages-artifact@56afc60...7b1f4a7)

Updates `actions/deploy-pages` from 4.0.5 to 5.0.0
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@d6db901...cd2ce8f)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...bbbca2d)

Updates `actions/attest-build-provenance` from 2.4.0 to 4.1.0
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@e8998f9...a2bbfa2)

Updates `ossf/scorecard-action` from 2.4.0 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@62b2cac...4eaacf0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-pages-artifact
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/deploy-pages
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump the python group with 3 updates

Updates the requirements on [pytest](https://github.com/pytest-dev/pytest), [pytest-cov](https://github.com/pytest-dev/pytest-cov) and [mkdocs-material](https://github.com/squidfunk/mkdocs-material) to permit the latest version.

Updates `pytest` to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@8.3.0...9.0.3)

Updates `pytest-cov` to 7.1.0
- [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst)
- [Commits](pytest-dev/pytest-cov@v5.0.0...v7.1.0)

Updates `mkdocs-material` to 9.7.6
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](squidfunk/mkdocs-material@9.6.0...9.7.6)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:development
  dependency-group: python
- dependency-name: mkdocs-material
  dependency-version: 9.7.6
  dependency-type: direct:development
  dependency-group: python
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: keep docs theme below warning release

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Seongho Bae <me@seonghobae.me>
* fix(actions): scope Node24 forcing away from Pages artifact upload

* fix(actions): vendor Pages artifact upload on node24
* ci: ship lean multi-arch images with optional NVIDIA publish

* test: make container workflow assertions structural
* chore: pin new Docker and fuzz dependencies by digest

* chore: refresh lockfile for pinned docker and fuzz extras

* fix: keep fuzzing branch lockfile CI-safe

* fix: keep fuzzing branch lockfile CI-safe
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e68202f7-c31a-46f6-ab84-e3d195df2de8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch develop

Comment @coderabbitai help to get the list of available commands and usage tips.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

Closing this sync PR for now because it is a dirty merge over earlier squash history. The immediate OpenSSF/Scorecard work was completed on develop; stable-branch synchronization can be revisited with a clean backport/release branch when the next release cut is prepared.

@seonghobae seonghobae closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants