chore(deps): Bump the uv group across 1 directory with 5 updates#13
Open
dependabot[bot] wants to merge 14 commits into
Open
chore(deps): Bump the uv group across 1 directory with 5 updates#13dependabot[bot] wants to merge 14 commits into
dependabot[bot] wants to merge 14 commits into
Conversation
The test_claude_md_has_version_rules test was failing on CI because CLAUDE.md is in .gitignore and not pushed to the repository. Added pytest.skip() to gracefully skip this test when running on CI where the file doesn't exist, while still testing locally where CLAUDE.md is present.
- Add encoding='utf-8' to all read_text() calls to prevent Windows cp1252 decoding errors when reading release.sh - Skip executable permission check on Windows (no Unix mode bits) - Import sys module for platform detection
## Security Fixes (CRITICAL) - Add flock-based locking to release.sh to prevent concurrent execution - Add validate_branch_name() function for shell injection prevention - Pin 23 GitHub Actions to commit SHAs (supply chain protection) - Add explicit permissions blocks to 5 workflow files ## Reliability Fixes (CRITICAL) - Add job timeouts to all 6 workflows (ci: 30min, e2e: 45min, quality: 15min) - Add E2E test retry logic using nick-fields/retry (max 3 attempts) - Add comprehensive rollback_release() function for failed releases - Replace '|| true' patterns with proper error handling ## Test Coverage Fixes (HIGH) - Add 17 behavior tests for version release functions - Tests use subprocess to validate actual bash function execution - Cover: get_base_version, get_version_stage, get_stage_value, compare_base_versions ## Documentation Fixes (HIGH) - Remove 141 lines of deleted CCPM plugin documentation - Document 5 hidden justfile commands (promote, sync-main, equalize, backport-hotfix, port-commit) - Add detailed usage examples and warnings for dangerous operations Files changed: 10 - 6 workflow files (security + reliability) - scripts/release.sh (security + reliability) - CONTRIBUTING.md (outdated docs removal) - JUST COMMANDS FOR THIS PROJECT.md (hidden commands) - tests/test_version_release_rules.py (behavior tests)
Add test suite for --text2path CLI flag functionality: - TestText2PathCLIValidation: Verify --text2path-strict requires --text2path - TestText2PathPackageCheck: Test import error handling when package missing - TestText2PathConversion: Test actual conversion (skipped when package not installed) Tests verify: 1. CLI flag validation works correctly 2. Helpful error messages when svg-text2path not installed 3. Text elements converted to paths when package is available All tests pass: 3 passed, 1 skipped (svg-text2path optional dependency)
The previous SHA a42d72ef6e036f11894cdae57460f64a65b6a495 does not exist in the trufflesecurity/trufflehog repository, causing all Quality and CI/CD Pipeline workflows to fail with "action could not be found" error. Updated to current main branch SHA: a450544f0b7c12e99bd78b4f02fe67d5c5e56711
Prevents future incidents where invalid SHAs are pinned to workflow files. New safeguards: 1. scripts/validate_action_shas.py - Validates all pinned SHAs exist 2. validate.sh now includes SHA validation in pre-push checks 3. just validate-action-shas - Manual SHA validation command Root cause: Previous agent fabricated SHA a42d72ef... which didn't exist in trufflesecurity/trufflehog repo, causing all CI/CD runs to fail. This validation now runs: - Before every git push (via validate.sh) - Before every release (via release.sh) - On demand: just validate-action-shas
Pipeline reliability improvements:
- Add concurrency controls to all workflows (cancel outdated runs)
- Add path filters to skip CI on docs-only changes
- Remove redundant TruffleHog from ci.yml (already in quality.yml)
- Fix auto-triage.yml caching with setup-uv action
New safeguards:
- Add validate-workflows.yml to validate workflow YAML on PR
- Add dependabot.yml for automated weekly dependency updates
- Integrate SHA validation into pre-push validation (validate.sh)
Concurrency groups use: ${{ github.workflow }}-${{ github.ref }}
Path filters include: src/**, tests/**, pyproject.toml, uv.lock
This prevents:
- Duplicate CI runs on same branch
- Wasted resources on doc-only changes
- Invalid action SHAs reaching production
gh CLI is already pre-installed on GitHub-hosted runners, so no additional action is needed.
Bumps the npm-all group in /tests with 1 update: [puppeteer](https://github.com/puppeteer/puppeteer). Updates `puppeteer` from 22.15.0 to 24.36.1 - [Release notes](https://github.com/puppeteer/puppeteer/releases) - [Changelog](https://github.com/puppeteer/puppeteer/blob/main/CHANGELOG.md) - [Commits](puppeteer/puppeteer@puppeteer-v22.15.0...puppeteer-v24.36.1) --- updated-dependencies: - dependency-name: puppeteer dependency-version: 24.36.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The tests/sessions/ directory contains copies of SVG frames from examples/ that are regenerated for each test run. Tracking these was unnecessary: - 476 files removed from tracking (59MB) - Source data in examples/ is still tracked - Test sessions can be regenerated by running tests Added tests/sessions/ to .gitignore to prevent future tracking.
Bumps the uv group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [fonttools](https://github.com/fonttools/fonttools) | `4.60.1` | `4.60.2` | | [cryptography](https://github.com/pyca/cryptography) | `46.0.3` | `46.0.5` | | [filelock](https://github.com/tox-dev/py-filelock) | `3.20.0` | `3.20.3` | | [urllib3](https://github.com/urllib3/urllib3) | `2.5.0` | `2.6.3` | | [virtualenv](https://github.com/pypa/virtualenv) | `20.35.4` | `20.36.1` | Updates `fonttools` from 4.60.1 to 4.60.2 - [Release notes](https://github.com/fonttools/fonttools/releases) - [Changelog](https://github.com/fonttools/fonttools/blob/main/NEWS.rst) - [Commits](fonttools/fonttools@4.60.1...4.60.2) Updates `cryptography` from 46.0.3 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.3...46.0.5) Updates `filelock` from 3.20.0 to 3.20.3 - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](tox-dev/filelock@3.20.0...3.20.3) Updates `urllib3` from 2.5.0 to 2.6.3 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.5.0...2.6.3) Updates `virtualenv` from 20.35.4 to 20.36.1 - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](pypa/virtualenv@20.35.4...20.36.1) --- updated-dependencies: - dependency-name: fonttools dependency-version: 4.60.2 dependency-type: direct:production dependency-group: uv - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: indirect dependency-group: uv - dependency-name: filelock dependency-version: 3.20.3 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: indirect dependency-group: uv - dependency-name: virtualenv dependency-version: 20.36.1 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13 +/- ##
=====================================
Coverage 0.44% 0.44%
=====================================
Files 2 2
Lines 226 226
Branches 54 54
=====================================
Hits 1 1
Misses 225 225 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-actions
Bot
force-pushed
the
main
branch
from
2718225 to
5221059
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the uv group with 5 updates in the / directory:
4.60.14.60.246.0.346.0.53.20.03.20.32.5.02.6.320.35.420.36.1Updates
fonttoolsfrom 4.60.1 to 4.60.2Release notes
Sourced from fonttools's releases.
Changelog
Sourced from fonttools's changelog.
Commits
78ba5e8Release 4.60.2c3f9979macos-13 runner is no more, use macos-15-intel8016403Revert "Merge pull request #3982 from fonttools/drop-py39"e691e3bRelease 4.61.0c2d540fUpdate NEWS.rst3859753Update NEWS.rst26eb070black5ff73afMerge commit from forka696d5bvarLib: only use the basename(vf.filename)b00bc45varLib_test: test path traversal in variable-font filenameUpdates
cryptographyfrom 46.0.3 to 46.0.5Changelog
Sourced from cryptography's changelog.
Commits
06e120ebump version for 46.0.5 release (#14289)0eebb9dEC check key on cofactor > 1 (#14287)bedf6e1fix openssl version on 46 branch (#14220)e6f44fcbump for 46.0.4 and drop win arm64 due to CI issues (#14217)Updates
filelockfrom 3.20.0 to 3.20.3Release notes
Sourced from filelock's releases.
Commits
41b42ddFix TOCTOU symlink vulnerability in SoftFileLock (#465)f2e7d40[pre-commit.ci] pre-commit autoupdate (#464)5088854Support Unix systems without O_NOFOLLOW (#463)377f622[pre-commit.ci] pre-commit autoupdate (#460)4724d7fFix TOCTOU symlink vulnerability in lock file creation (#461)cb69414Bump actions/upload-artifact from 5 to 6 (#459)0769294Bump actions/download-artifact from 6 to 7 (#458)414193a[pre-commit.ci] pre-commit autoupdate (#457)1456797[pre-commit.ci] pre-commit autoupdate (#456)8d6bf90Bump actions/checkout from 5 to 6 (#455)Updates
urllib3from 2.5.0 to 2.6.3Release notes
Sourced from urllib3's releases.
... (truncated)
Changelog
Sourced from urllib3's changelog.
... (truncated)
Commits
0248277Release 2.6.38864ac4Merge commit from fork70cecb2Fix Scorecard issues related to vulnerable dev dependencies (#3755)41f249aMove "v2.0 Migration Guide" to the end of the table of contents (#3747)fd4dffdPatchVerifiedHTTPSConnectionfor Emscripten (#3752)13f0bfdHandle massive values in Retry-After when calculating time to sleep for (#3743)8c480bfBump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)4b40616Bump actions/cache from 4.3.0 to 5.0.1 (#3750)82b8479Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)34284cbMention experimental features in the security policy (#3746)Updates
virtualenvfrom 20.35.4 to 20.36.1Release notes
Sourced from virtualenv's releases.
Changelog
Sourced from virtualenv's changelog.
Commits
d0ad11drelease 20.36.1dec4cecMerge pull request #3013 from gaborbernat/fix-sec5fe5d38release 20.36.0 (#3011)9719376release 20.36.00276db6Add support for PEP 440 version specifiers in the--pythonflag. (#3008)4f900c2Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 (#3...13afcc6fix: resolve EncodingWarning in tox upgrade environment (#3007)31b5d31[pre-commit.ci] pre-commit autoupdate (#2997)7c28422fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 (...365628ctest_too_many_open_files: assert onerrno.EMFILEinstead ofstrerror(#3001)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.