From 1e08a5a547573aff78b4760293f7bb3412b1a875 Mon Sep 17 00:00:00 2001 From: Simon Date: Fri, 29 May 2026 13:27:19 -0700 Subject: [PATCH] Fix CheckYourself DevArch findings --- .github/dependabot.yml | 23 +++++++++++++++++++++++ .github/workflows/agent-law.yml | 4 +++- .github/workflows/archaeology.yml | 13 +++++++------ .github/workflows/blacksmith-probe.yml | 2 +- .github/workflows/ci.yml | 14 ++++++++++---- .github/workflows/publish.yml | 11 ++++++++--- .gitignore | 2 ++ 7 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c36fad3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + - "python" + commit-message: + prefix: "chore(deps)" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + - "ci" + commit-message: + prefix: "ci(deps)" diff --git a/.github/workflows/agent-law.yml b/.github/workflows/agent-law.yml index 07cbd0a..b8ea6bb 100644 --- a/.github/workflows/agent-law.yml +++ b/.github/workflows/agent-law.yml @@ -14,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Verify Empower Orchestrator law shell: bash diff --git a/.github/workflows/archaeology.yml b/.github/workflows/archaeology.yml index bafa4da..47e2495 100644 --- a/.github/workflows/archaeology.yml +++ b/.github/workflows/archaeology.yml @@ -27,12 +27,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false fetch-depth: 0 # Full git history required for archaeology - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' cache: 'pip' @@ -70,7 +71,7 @@ jobs: run: devarch audit "$PROJECT_NAME" || true - name: Upload archaeology report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: archaeology-report-${{ env.PROJECT_NAME }} path: | @@ -79,11 +80,11 @@ jobs: # Optional: Deploy to GitHub Pages (uncomment to enable) # - name: Setup Pages - # uses: actions/configure-pages@v4 + # uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 # - name: Upload Pages artifact - # uses: actions/upload-pages-artifact@v3 + # uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 # with: # path: projects/${{ env.PROJECT_NAME }}/deliverables/visual/ # - name: Deploy to GitHub Pages # id: deployment - # uses: actions/deploy-pages@v4 + # uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/blacksmith-probe.yml b/.github/workflows/blacksmith-probe.yml index 66e3c52..66a1743 100644 --- a/.github/workflows/blacksmith-probe.yml +++ b/.github/workflows/blacksmith-probe.yml @@ -12,6 +12,6 @@ permissions: jobs: probe: - uses: KyaniteLabs/.github/.github/workflows/blacksmith-probe.yml@main + uses: KyaniteLabs/.github/.github/workflows/blacksmith-probe.yml@3446813931bdcad5962acc21c315a79a3f9d1837 # main at 2026-05-29 with: probe_label: complementary-runner-probe diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ebc8647..1ba52a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,10 +16,13 @@ jobs: python-version: ['3.10', '3.11', '3.12'] steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} @@ -39,10 +42,13 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3f191ee..385a945 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,8 +12,13 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - name: Install build tools @@ -23,4 +28,4 @@ jobs: - name: Check package run: twine check dist/* - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.gitignore b/.gitignore index e175337..dbd838f 100644 --- a/.gitignore +++ b/.gitignore @@ -51,6 +51,8 @@ cover/ # Environments .env +*.pem +*.key .venv env/ venv/