datasciencemonkey · datasciencemonkey · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml
@@ -5,41 +5,55 @@ on:
     paths:
       - "requirements.txt"
       - "requirements.lock"
+      - "pyproject.toml"
   push:
     branches: [main]
     paths:
       - "requirements.txt"
       - "requirements.lock"
+      - "pyproject.toml"
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC — catch newly disclosed CVEs
 
 jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: "3.11"
 
-      - name: Install pip-audit
-        run: pip install pip-audit
+      - name: Install audit tools
+        run: pip install pip-audit==2.9.0 uv==0.7.12
 
       - name: Audit pinned dependencies
         run: |
           if [ -f requirements.lock ]; then
             echo "Auditing requirements.lock (pinned)..."
-            pip-audit -r requirements.lock --desc on
+            # Strip hashes before auditing — pip-audit's pip backend chokes on
+            # platform-conditional deps (greenlet) missing from the lockfile.
+            # The hashes are verified at install time, not audit time.
+            sed '/^[[:space:]]*--hash/d' requirements.lock > /tmp/requirements.lock.nohash
+            pip-audit -r /tmp/requirements.lock.nohash --desc on
           else
             echo "::warning::No requirements.lock found — auditing requirements.txt (unpinned)"
             pip-audit -r requirements.txt --desc on
           fi
 
       - name: Check lockfile is up to date
         run: |
-          pip install uv
-          uv pip compile requirements.txt -o /tmp/requirements.lock.check
+          uv pip compile requirements.txt -o /tmp/requirements.lock.check --generate-hashes
           if ! diff -q requirements.lock /tmp/requirements.lock.check > /dev/null 2>&1; then
-            echo "::warning::requirements.lock is out of date. Run: uv pip compile requirements.txt -o requirements.lock"
+            echo "::warning::requirements.lock is out of date. Run: uv pip compile requirements.txt -o requirements.lock --generate-hashes"
           fi
+
+      - name: Audit npm packages
+        run: |
+          for pkg in opencode-ai @ai-sdk/openai @openai/codex @google/gemini-cli; do
+            echo "--- Checking $pkg ---"
+            npm view "$pkg" version 2>/dev/null || echo "::warning::Could not resolve $pkg"
+          done
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           fetch-depth: 0
 
@@ -112,7 +112,7 @@ jobs:
           git push origin "$TAG"
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2
         with:
           tag_name: "${{ steps.version.outputs.TAG }}"
           name: "${{ steps.version.outputs.TAG }}"

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "coda"
-version = "0.16.3"
+version = "0.16.4"
 description = "CoDA - Coding Agents on Databricks Apps"
 requires-python = ">=3.10"
 dependencies = [