From dda086ddcd347c667b3b93fe17bf9d35d081a01f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 24 Sep 2025 22:11:13 +0000
Subject: [PATCH 1/2] chore(deps): bump pip from 24.3.1 to 25.2 in /.github/pip

Bumps [pip](https://github.com/pypa/pip) from 24.3.1 to 25.2.
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](https://github.com/pypa/pip/compare/24.3.1...25.2)

---
updated-dependencies:
- dependency-name: pip
  dependency-version: '25.2'
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/pip/pip-tools-requirements.in  | 2 +-
 .github/pip/pip-tools-requirements.txt | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/pip/pip-tools-requirements.in b/.github/pip/pip-tools-requirements.in
index 56ee916..bd090cc 100644
--- a/.github/pip/pip-tools-requirements.in
+++ b/.github/pip/pip-tools-requirements.in
@@ -4,4 +4,4 @@
 
 pip-tools==7.4.1
 setuptools>=78.1.1
-pip<25  # pip 25.1 has compatibility issues with pip-tools on Python 3.13
+pip<26  # pip 25.1 has compatibility issues with pip-tools on Python 3.13
diff --git a/.github/pip/pip-tools-requirements.txt b/.github/pip/pip-tools-requirements.txt
index a4c2d21..2295eaa 100644
--- a/.github/pip/pip-tools-requirements.txt
+++ b/.github/pip/pip-tools-requirements.txt
@@ -32,9 +32,9 @@ wheel==0.45.1 \
     # via pip-tools
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==24.3.1 \
-    --hash=sha256:3790624780082365f47549d032f3770eeb2b1e8bd1f7b2e02dace1afa361b4ed \
-    --hash=sha256:ebcb60557f2aefabc2e0f918751cd24ea0d56d8ec5445fe1807f1d2109660b99
+pip==25.2 \
+    --hash=sha256:578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 \
+    --hash=sha256:6d67a2b4e7f14d8b31b8b52648866fa717f45a1eb70e83002f4331d07e953717
     # via
     #   -r pip-tools-requirements.in
     #   pip-tools

From 96b2352b67e6c51c812e08bf9e16ede11ba76654 Mon Sep 17 00:00:00 2001
From: mrz1836 <mrz1818@gmail.com>
Date: Fri, 26 Sep 2025 10:56:29 -0400
Subject: [PATCH 2/2] ci: add OSS Index auth and update Nancy version

Add OSS Index username and token secrets to support authenticated Nancy
scans, reducing rate limits and improving vulnerability report accuracy.

Update Nancy version from 1.0.51 to 1.0.52 to use the latest fixes and
features.

Modify workflow files to pass OSS Index authentication environment variables
to the Nancy GitHub Action.
---
 .github/.env.shared                           | 2 +-
 .github/workflows/fortress-security-scans.yml | 9 +++++++++
 .github/workflows/fortress.yml                | 2 ++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/.env.shared b/.github/.env.shared
index f1e541b..ee7881f 100644
--- a/.github/.env.shared
+++ b/.github/.env.shared
@@ -59,7 +59,7 @@ GITLEAKS_VERSION=8.27.2                           # Version of gitleaks to insta
 GORELEASER_VERSION=v2.11.0                        # Version of goreleaser to install and use (vX.Y.Z) (https://github.com/goreleaser/goreleaser)
 GOVULNCHECK_VERSION=v1.1.4                        # Version of govulncheck to use for Go vuln scanning (vX.Y.Z) (https://pkg.go.dev/golang.org/x/vuln)
 NANCY_EXCLUDES=CVE-2024-38513,CVE-2022-21698,CVE-2023-45142  # Known acceptable CVEs (cve,cve2,...)
-NANCY_VERSION=v1.0.51                             # Version of nancy to install and use (vX.Y.Z) (https://github.com/sonatype-nexus-community/nancy)
+NANCY_VERSION=v1.0.52                             # Version of nancy to install and use (vX.Y.Z) (https://github.com/sonatype-nexus-community/nancy)
 NODE_VERSION=20                                   # Node.js version for prettier and other tools (major version)
 PRETTIER_VERSION=3.6.2                            # Version of prettier to use for YAML validation (X.Y.Z) (https://www.npmjs.com/package/prettier)
 
diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml
index 040bb10..053ff19 100644
--- a/.github/workflows/fortress-security-scans.yml
+++ b/.github/workflows/fortress-security-scans.yml
@@ -47,6 +47,12 @@ on:
       gitleaks-license:
         description: "Gitleaks license key"
         required: false
+      ossi-username:
+        description: "OSS Index username for Nancy authentication"
+        required: false
+      ossi-token:
+        description: "OSS Index token for Nancy authentication"
+        required: false
 
 permissions:
   contents: read
@@ -110,6 +116,9 @@ jobs:
       - name: 🔍 Ask Nancy
         uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3
         continue-on-error: false
+        env: # Authentication for OSS Index (recommended)
+          OSSI_USERNAME: ${{ secrets.ossi-username }}
+          OSSI_TOKEN: ${{ secrets.ossi-token }}
         with:
           githubToken: ${{ secrets.github-token }} # ← prevents rate-limit 403
           nancyVersion: ${{ env.NANCY_VERSION }}
diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml
index 912bd80..69ab1ec 100644
--- a/.github/workflows/fortress.yml
+++ b/.github/workflows/fortress.yml
@@ -163,6 +163,8 @@ jobs:
     secrets:
       github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
       gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
+      ossi-username: ${{ secrets.OSSI_USERNAME }}
+      ossi-token: ${{ secrets.OSSI_TOKEN }}
   # ----------------------------------------------------------------------------------
   # Code Quality Checks
   # ----------------------------------------------------------------------------------