You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Completed SHA-pinning of GitHub Actions across all workflows. 0.3.0
pinned release.yml and testpypi.yml; this release also pins ci.yml
(actions/checkout, actions/setup-python, codecov/codecov-action)
and dco.yml (actions/checkout). Closes the remaining Pinned-
Dependencies findings from OpenSSF Scorecard for GitHub-owned and
third-party actions.
Added a CodeQL static-analysis workflow (.github/workflows/codeql.yml)
running on push, pull request, and a weekly schedule, publishing results
to the Security tab. Satisfies the Scorecard SAST check.
Added a Dependabot configuration (.github/dependabot.yml) that keeps
GitHub Actions (SHA pins plus their version comments) and Python dev
dependencies current, so upstream security fixes surface as pull requests
rather than sitting behind frozen hashes. Satisfies the Scorecard
Dependency-Update-Tool check.
release.yml now also signs and attaches the distributions to the
GitHub Release. A single build job produces the artifacts; both the
PyPI publish job and a new attest-and-attach job consume the SAME dist artifact, so the *.intoto.jsonl Sigstore attestation attached
to the GitHub Release is a real attestation of the bytes uploaded to
PyPI -- not a separate rebuild made just to satisfy supply-chain
scanners.
Documentation
README: new "Passing values from upstream tasks into your tests" section
documenting how to forward XCom values into a test run via per-value
templated env (the template goes inside each dict value, not around the
whole env), with a DataIngester → parametrize end-to-end example and
a note on render_template_as_native_obj.
