chore: sync main with latest OSSF and container hardening#33
chore: sync main with latest OSSF and container hardening#33seonghobae wants to merge 15 commits into
Conversation
… contributing rules
…cripts, workflows, and internal architecture
* fix: scope scorecards push to develop * test: add enforced quality gate * test: cover synthetic helper branches * chore: add automated dependency updates * docs: add security reporting policy * ci: pin workflow dependencies * ci: pin workflow actions and broaden PR checks * ci: lock uv installs and PR workflow coverage * ci: add release provenance workflow * ci: force github actions to node24 * docs: record OpenSSF badge decision * docs: add changelog baseline * ci: pin workflow dependencies (#5) * ci: pin workflow dependencies * ci: pin workflow actions and broaden PR checks * ci: lock uv installs and PR workflow coverage * ci: add release provenance workflow (#6) * ci: add release provenance workflow * ci: force github actions to node24 (#7) * ci: force github actions to node24 * docs: record OpenSSF badge decision (#11) * docs: record OpenSSF badge decision * docs: add changelog baseline (#12) * ci: align gh-pages workflow with repo policies * test: tighten review-driven regressions * docs: tighten manual examples * test: strengthen review follow-up assertions * docs: align installation guidance with recommendation * ci: add CircleCI quality gate * ci: harden CircleCI uv install * test: tighten remaining reviewer regressions * docs: clarify supported Python range without implying 3.10-only use * ci: harden docs deploy path for reproducible Pages builds * ci: close remaining automation review gaps * docs: keep dev install examples shell-safe and in sync * ci: enable repo-local CodeRabbit approval workflow
Bumps the github-actions group with 9 updates: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.35.1` | `4.35.1` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `6.8.0` | `8.0.0` | | [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3.0.1` | `4.0.0` | | [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.5` | `5.0.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.4.0` | `4.1.0` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.0` | `2.4.3` | Updates `actions/checkout` from 4.3.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) Updates `github/codeql-action` from 3.35.1 to 4.35.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) Updates `actions/setup-python` from 5.6.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) Updates `astral-sh/setup-uv` from 6.8.0 to 8.0.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@d0cc045...cec2083) Updates `actions/upload-pages-artifact` from 3.0.1 to 4.0.0 - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@56afc60...7b1f4a7) Updates `actions/deploy-pages` from 4.0.5 to 5.0.0 - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@d6db901...cd2ce8f) Updates `actions/upload-artifact` from 4.6.2 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...bbbca2d) Updates `actions/attest-build-provenance` from 2.4.0 to 4.1.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@e8998f9...a2bbfa2) Updates `ossf/scorecard-action` from 2.4.0 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@62b2cac...4eaacf0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-pages-artifact dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/deploy-pages dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump the python group with 3 updates Updates the requirements on [pytest](https://github.com/pytest-dev/pytest), [pytest-cov](https://github.com/pytest-dev/pytest-cov) and [mkdocs-material](https://github.com/squidfunk/mkdocs-material) to permit the latest version. Updates `pytest` to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@8.3.0...9.0.3) Updates `pytest-cov` to 7.1.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v5.0.0...v7.1.0) Updates `mkdocs-material` to 9.7.6 - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](squidfunk/mkdocs-material@9.6.0...9.7.6) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:development dependency-group: python - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:development dependency-group: python - dependency-name: mkdocs-material dependency-version: 9.7.6 dependency-type: direct:development dependency-group: python ... Signed-off-by: dependabot[bot] <support@github.com> * chore: keep docs theme below warning release --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Seongho Bae <me@seonghobae.me>
* fix(actions): scope Node24 forcing away from Pages artifact upload * fix(actions): vendor Pages artifact upload on node24
* ci: ship lean multi-arch images with optional NVIDIA publish * test: make container workflow assertions structural
* chore: pin new Docker and fuzz dependencies by digest * chore: refresh lockfile for pinned docker and fuzz extras * fix: keep fuzzing branch lockfile CI-safe * fix: keep fuzzing branch lockfile CI-safe
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Closing this sync PR for now because it is a dirty merge over earlier squash history. The immediate OpenSSF/Scorecard work was completed on |
Summary
maindevelopmainfor the next tagged release after the OSSF and container work lands