Retries and Caching, Step 1

.github/workflows/_audit.yml

@@ -18,7 +18,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

.github/workflows/_build-native-only.yml

@@ -44,7 +44,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

.github/workflows/_codeql.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -77,9 +77,9 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/_lint.yml

@@ -18,7 +18,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

.github/workflows/_package-publish.yml

@@ -50,7 +50,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true
@@ -100,7 +100,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           cache-dependency-glob: uv.lock

.github/workflows/_scheduled-audit.yml

@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

.github/workflows/_scheduled-test.yml

@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

.github/workflows/_test.yml

@@ -58,7 +58,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
         with:
           version-file: "pyproject.toml"
           enable-cache: true

CODE_STYLE.md

@@ -21,6 +21,7 @@ We favor readability and maintainability over cleverness and brevity.
   dependencies.
 5. We always write code that is compatible with the Python version indicated in
   the .python-version file in the root of this repository.
+6. We like functional programming and lambdas.
 
 ## Naming
 
@@ -111,12 +112,12 @@ We use [pytest](https://docs.pytest.org/en/stable/) for testing Python code.
 1. Tests are defined in the `tests/` directory
 2. We use pytest fixtures to set up test data and state
 3. We leverage several pytest plugins:
-  1. `pytest-asyncio` for testing async code
-  2. `pytest-cov` for coverage reporting
-  3. `pytest-docker` for integration tests with containers
-  4. `pytest-env` for environment variable management
-  5. `pytest-regressions` for regression testing
-  6. `pytest-xdist` for parallel test execution
+1. `pytest-asyncio` for testing async code
+2. `pytest-cov` for coverage reporting
+3. `pytest-docker` for integration tests with containers
+4. `pytest-env` for environment variable management
+5. `pytest-regressions` for regression testing
+6. `pytest-xdist` for parallel test execution
 4. Test execution is automated through the nox test session which runs across the
   Python versions indicated in the `pyproject.toml`.
 
@@ -193,8 +194,8 @@ and protect our users.
 1. Follow the principle of least privilege for all operations and access
   controls.
 2. Never store secrets (API keys, passwords, tokens) in code repositories.
-  1. Use environment variables or dedicated secret management services.
-  2. Code is checked via `detect-secrets` pre-commit hook to prevent accidental
+1. Use environment variables or dedicated secret management services.
+2. Code is checked via `detect-secrets` pre-commit hook to prevent accidental
     commits of secrets.
 
 We implement proper input validation and sanitization for all external inputs
@@ -208,11 +209,11 @@ We handle authentication and authorization correctly:
 2. Separate authentication from authorization logic.
 3. Implement proper session management with secure cookies.
 4. Protect against common vulnerabilities:
-  1. SQL Injection: Use parameterized queries or ORM frameworks.
-  2. XSS: Apply proper output encoding.
-  3. CSRF: Implement anti-CSRF tokens for state-changing operations.
-  4. SSRF: Validate and restrict URL destinations.
-  5. Command Injection: Avoid direct system command execution where possible.
+1. SQL Injection: Use parameterized queries or ORM frameworks.
+2. XSS: Apply proper output encoding.
+3. CSRF: Implement anti-CSRF tokens for state-changing operations.
+4. SSRF: Validate and restrict URL destinations.
+5. Command Injection: Avoid direct system command execution where possible.
 5. Implement proper error handling that doesn't leak sensitive information.
 6. Use secure defaults and fail closed (secure) rather than open (insecure).
 
@@ -222,17 +223,17 @@ We apply the principle of defense in depth:
 2. Implement multiple layers of protection.
 3. Document security considerations in code and design documents.
 4. Write security-focused tests:
-  1. Test for security property violations.
-  2. Test error cases and edge conditions.
-  3. Test for resource exhaustion scenarios.
+1. Test for security property violations.
+2. Test error cases and edge conditions.
+3. Test for resource exhaustion scenarios.
 5. Apply proper rate limiting and throttling to prevent abuse.
 6. For cryptographic operations:
-  1. Use established libraries, not custom implementations.
-  2. Follow current best practices for algorithm selection and key management.
-  3. Be aware of the limitations of cryptographic primitives.
+1. Use established libraries, not custom implementations.
+2. Follow current best practices for algorithm selection and key management.
+3. Be aware of the limitations of cryptographic primitives.
 7. Regularly run security-focused static analysis tools as part of CI/CD:
-  1. CodeQL analysis (via GitHub Actions)
-  2. SonarCloud checks for security vulnerabilities
+1. CodeQL analysis (via GitHub Actions)
+2. SonarCloud checks for security vulnerabilities
 
 Our security posture is defined in [SECURITY.md](SECURITY.md).
 
@@ -244,9 +245,9 @@ We use modern dependency management practices:
   and environment management
 2. Dependency version locking via uv.lock file
 3. Regular dependency auditing:
-  1. Security auditing via `pip-audit`
-  2. License compliance checks via `pip-licenses`
-  3. SBOM generation via `cyclonedx-py`
+1. Security auditing via `pip-audit`
+2. License compliance checks via `pip-licenses`
+3. SBOM generation via `cyclonedx-py`
 
 Dependency updates are automated via Dependabot and Renovate to ensure we stay
 current with security patches.