From d763fc66797c0e411988681266da312821b38e92 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Mon, 23 Jun 2025 13:04:02 +0300 Subject: [PATCH 01/11] Update dependency's pinning --- environment-dev.yaml | 2 +- environment.yaml | 2 +- mailgun/_version.py | 2 +- pyproject.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/environment-dev.yaml b/environment-dev.yaml index 4a4aebc..b16ccb7 100644 --- a/environment-dev.yaml +++ b/environment-dev.yaml @@ -10,7 +10,7 @@ dependencies: # PyPi only - python-build # runtime deps - - requests >=2.32.3 + - requests >=2.32.4 # tests - conda-forge::pyfakefs - coverage >=4.5.4 diff --git a/environment.yaml b/environment.yaml index 7920db5..747b9d0 100644 --- a/environment.yaml +++ b/environment.yaml @@ -7,7 +7,7 @@ dependencies: # build & host deps - pip # runtime deps - - requests >=2.32.3 + - requests >=2.32.4 # tests - pytest >=7.0.0 # other diff --git a/mailgun/_version.py b/mailgun/_version.py index d538f87..bb35ee1 100644 --- a/mailgun/_version.py +++ b/mailgun/_version.py @@ -1 +1 @@ -__version__ = "1.0.0" \ No newline at end of file +__version__ = "1.0.2" \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 6686186..3b0b7f9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -38,7 +38,7 @@ license = {text = "Apache-2.0"} readme = "README.md" requires-python = ">=3.9" -dependencies = ["requests>=2.32.3"] +dependencies = ["requests>=2.32.4"] keywords = [ "Python SDK for Mailgun", From bfd64c1c1c5d3cee824801b92673b31c829d9383 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Mon, 23 Jun 2025 13:05:52 +0300 Subject: [PATCH 02/11] Update pre-commit hooks --- .pre-commit-config.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ec59f12..60cb5d8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -67,7 +67,7 @@ repos: exclude: ^tests - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.33.0 + rev: 0.33.1 hooks: - id: check-github-workflows @@ -93,7 +93,7 @@ repos: - --ignore-init-module-imports - repo: https://github.com/pycqa/flake8 - rev: 7.2.0 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -104,21 +104,21 @@ repos: exclude: ^tests - repo: https://github.com/PyCQA/pylint - rev: v3.3.6 + rev: v3.3.7 hooks: - id: pylint args: - --exit-zero - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade args: [--py39-plus, --keep-runtime-typing] - repo: https://github.com/charliermarsh/ruff-pre-commit # Ruff version. - rev: v0.11.6 + rev: v0.12.0 hooks: # Run the linter. - id: ruff @@ -133,7 +133,7 @@ repos: # language_version: python3.13 - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.16.1 hooks: - id: mypy args: @@ -143,12 +143,12 @@ repos: exclude: ^mailgun/examples/ - repo: https://github.com/RobertCraigie/pyright-python - rev: v1.1.399 + rev: v1.1.402 hooks: - id: pyright - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.5 hooks: - id: bandit args: ["-c", "pyproject.toml", "-r", "."] @@ -157,7 +157,7 @@ repos: additional_dependencies: [".[toml]"] - repo: https://github.com/crate-ci/typos - rev: v1.31.1 + rev: v1.33.1 hooks: - id: typos From 6db1a12ffe9f6b2eb537cf8c2e575b0847f518ca Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Mon, 23 Jun 2025 13:39:22 +0300 Subject: [PATCH 03/11] Pin workflows' actions to specific hashes with versions in comments --- .github/workflows/commit_checks.yaml | 10 +++++----- .github/workflows/issue-triage.yml | 2 +- .github/workflows/pr_validation.yml | 4 ++-- .github/workflows/publish.yml | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/commit_checks.yaml b/.github/workflows/commit_checks.yaml index d124041..0bffd89 100644 --- a/.github/workflows/commit_checks.yaml +++ b/.github/workflows/commit_checks.yaml @@ -11,11 +11,11 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' # Specify a Python version explicitly - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 test: name: test py${{ matrix.python-version }} on ${{ matrix.os }} @@ -32,11 +32,11 @@ jobs: APIKEY: ${{ secrets.APIKEY }} DOMAIN: ${{ secrets.DOMAIN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Required for setuptools-scm - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f # v3.2.0 with: python-version: ${{ matrix.python-version }} channels: defaults diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index e500793..3ad6350 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -11,7 +11,7 @@ jobs: issues: write steps: - name: Initial triage - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/pr_validation.yml b/.github/workflows/pr_validation.yml index 6af3996..fe7b841 100644 --- a/.github/workflows/pr_validation.yml +++ b/.github/workflows/pr_validation.yml @@ -8,12 +8,12 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index dc78775..4cfb47b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -14,12 +14,12 @@ jobs: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' @@ -64,7 +64,7 @@ jobs: # Always publish to TestPyPI for all tags and releases - name: Publish to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@7f25271a4aa483500f742f9492b2ab5648d61011 # v1.12.4 with: repository-url: https://test.pypi.org/legacy/ password: ${{ secrets.TEST_PYPI_API_TOKEN }} @@ -75,7 +75,7 @@ jobs: - name: Publish to PyPI # TODO: Enable '&& env.IS_STABLE == 'true' only publish to PyPI for stable GitHub releases (no RC/alpha/beta) if: github.event_name == 'release' #&& env.IS_STABLE == 'true' - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@7f25271a4aa483500f742f9492b2ab5648d61011 # v1.12.4 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} From 7fe5dfa67394295923d86153bf2bf9067bdad5e2 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Mon, 23 Jun 2025 14:13:59 +0300 Subject: [PATCH 04/11] Add initial read permissoins to workflows --- .github/workflows/commit_checks.yaml | 3 +++ .github/workflows/issue-triage.yml | 3 +++ .github/workflows/pr_validation.yml | 3 +++ .github/workflows/publish.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/commit_checks.yaml b/.github/workflows/commit_checks.yaml index 0bffd89..0260c4e 100644 --- a/.github/workflows/commit_checks.yaml +++ b/.github/workflows/commit_checks.yaml @@ -7,6 +7,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: pre-commit: runs-on: ubuntu-latest diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index 3ad6350..d2f0460 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -4,6 +4,9 @@ on: issues: types: [opened, labeled, unlabeled, reopened] +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest diff --git a/.github/workflows/pr_validation.yml b/.github/workflows/pr_validation.yml index fe7b841..025e2b6 100644 --- a/.github/workflows/pr_validation.yml +++ b/.github/workflows/pr_validation.yml @@ -4,6 +4,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: validate: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4cfb47b..d7d0da2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -7,6 +7,9 @@ on: types: [published] # Triggers when a GitHub release is published workflow_dispatch: # Manual trigger +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest From 484ee06f4a8e9ccc63dfd0b9e47525335d875308 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Mon, 23 Jun 2025 14:34:11 +0300 Subject: [PATCH 05/11] Add security policy --- SECURITY.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..367381b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,82 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: | +| < 1.0.0 | :x: | + +# Vulnerability Disclosure + +If you think you have found a potential security vulnerability in +mailgun, please open a [draft Security Advisory](https://github.com/mailgun/mailgun-python/security/advisories/new) +via GitHub. We will coordinate verification and next steps through +that secure medium. + +If English is not your first language, please try to describe the +problem and its impact to the best of your ability. For greater detail, +please use your native language and we will try our best to translate it +using online services. + +Please also include the code you used to find the problem and the +shortest amount of code necessary to reproduce it. + +Please do not disclose this to anyone else. We will retrieve a CVE +identifier if necessary and give you full credit under whatever name or +alias you provide. We will only request an identifier when we have a fix +and can publish it in a release. + +We will respect your privacy and will only publicize your involvement if +you grant us permission. + +## Process + +This following information discusses the process the project +follows in response to vulnerability disclosures. If you are disclosing +a vulnerability, this section of the documentation lets you know how we +will respond to your disclosure. + +### Timeline + +When you report an issue, one of the project members will respond to you +within five days *at the outside*. In most cases responses will be +faster, usually within 48 hours. This initial response will at the very +least confirm receipt of the report. + +If we were able to rapidly reproduce the issue, the initial response +will also contain confirmation of the issue. If we are not, we will +often ask for more information about the reproduction scenario. + +Our goal is to have a fix for any vulnerability released within two +weeks of the initial disclosure. This may potentially involve shipping +an interim release that simply disables function while a more mature fix +can be prepared, but will in the vast majority of cases mean shipping a +complete release as soon as possible. + +Throughout the fix process we will keep you up to speed with how the fix +is progressing. Once the fix is prepared, we will notify you that we +believe we have a fix. Often we will ask you to confirm the fix resolves +the problem in your environment, especially if we are not confident of +our reproduction scenario. + +At this point, we will prepare for the release. We will obtain a CVE +number if one is required, providing you with full credit for the +discovery. We will also decide on a planned release date, and let you +know when it is. This release date will *always* be on a weekday. + +At this point we will reach out to our major downstream packagers to +notify them of an impending security-related patch so they can make +arrangements. In addition, these packagers will be provided with the +intended patch ahead of time, to ensure that they are able to promptly +release their downstream packages. + +On release day, we will push the patch to our public repository, along +with an updated changelog that describes the issue and credits you. We +will then issue a PyPI release containing the patch. + +At this point, we will publicise the release. + +We will also explicitly mention which commits contain the fix to make it +easier for other distributors and users to easily patch their own +versions of mailgun if upgrading is not an option. From 6cebc9e9bc39558598b357114dc6b270f6e9b44c Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 12:19:11 +0300 Subject: [PATCH 06/11] Update changelog, minor clean up in README --- CHANGELOG.md | 15 +++++++++++++++ README.md | 1 - 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c72d41..6463b7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,21 @@ We [keep a changelog.](http://keepachangelog.com/) ## [Unreleased] +## [1.0.2] - 2025-06-24 + +### Changed + +- ci: Use permissions: contents: read in all CI workflow files explicitly +- ci: Use commit hashes to ensure reproducible builds +- ci: Update pre-commit hooks to the latest versions +- docs: Minor clean up in README.md +- docs: Add the Security Policy file SECURITY.md +- build: Update dependency pinning: requests>=2.32.4 + +### Pull Requests Merged + +- [PR_11](https://github.com/mailgun/mailgun-python/pull/11) - Fix package name + ## [1.0.1] - 2025-05-27 ### Changed diff --git a/README.md b/README.md index 62f70fd..389d970 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,6 @@ Pass the components of the messages such as To, From, Subject, HTML and text par ```python import os -from pathlib import Path from mailgun.client import Client key: str = os.environ["APIKEY"] From c07eeb6788b25e05c7e36699812d61fef65901e3 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 12:22:29 +0300 Subject: [PATCH 07/11] Update changelog --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6463b7f..9b12513 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ We [keep a changelog.](http://keepachangelog.com/) ### Pull Requests Merged -- [PR_11](https://github.com/mailgun/mailgun-python/pull/11) - Fix package name +- [PR_13](https://github.com/mailgun/mailgun-python/pull/13) - Improve CI workflows & packaging ## [1.0.1] - 2025-05-27 @@ -48,4 +48,5 @@ We [keep a changelog.](http://keepachangelog.com/) [1.0.0]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.0 [1.0.1]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.1 -[unreleased]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.1...HEAD +[1.0.2]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.2 +[unreleased]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.2...HEAD From 1b46878d6ad1683a48717b59e57361e96a35b117 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 12:30:47 +0300 Subject: [PATCH 08/11] Bump version to v1.0.2rc1 --- CHANGELOG.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b12513..50cda4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,16 +8,19 @@ We [keep a changelog.](http://keepachangelog.com/) ### Changed -- ci: Use permissions: contents: read in all CI workflow files explicitly -- ci: Use commit hashes to ensure reproducible builds -- ci: Update pre-commit hooks to the latest versions - docs: Minor clean up in README.md +- ci: Update pre-commit hooks to the latest versions + +### Security + - docs: Add the Security Policy file SECURITY.md +- ci: Use permissions: contents: read in all CI workflow files explicitly +- ci: Use commit hashes to ensure reproducible builds - build: Update dependency pinning: requests>=2.32.4 ### Pull Requests Merged -- [PR_13](https://github.com/mailgun/mailgun-python/pull/13) - Improve CI workflows & packaging +- [PR_13](https://github.com/mailgun/mailgun-python/pull/13) - Release v1.0.2: Improve CI workflows & packaging ## [1.0.1] - 2025-05-27 From 4218a080edd3bc729cf185c8ded9fcec4526285c Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 13:01:55 +0300 Subject: [PATCH 09/11] Bump version to v1.0.2rc1 --- mailgun/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailgun/_version.py b/mailgun/_version.py index bb35ee1..c3392f2 100644 --- a/mailgun/_version.py +++ b/mailgun/_version.py @@ -1 +1 @@ -__version__ = "1.0.2" \ No newline at end of file +__version__ = "1.0.2rc1" \ No newline at end of file From b9b6a016b951d5d9d06700a7fde61446d232c514 Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 13:12:00 +0300 Subject: [PATCH 10/11] ci: Use release branch for PyPI --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d7d0da2..5cf8869 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -67,7 +67,7 @@ jobs: # Always publish to TestPyPI for all tags and releases - name: Publish to TestPyPI - uses: pypa/gh-action-pypi-publish@7f25271a4aa483500f742f9492b2ab5648d61011 # v1.12.4 + uses: pypa/gh-action-pypi-publish@release/v1 with: repository-url: https://test.pypi.org/legacy/ password: ${{ secrets.TEST_PYPI_API_TOKEN }} @@ -78,7 +78,7 @@ jobs: - name: Publish to PyPI # TODO: Enable '&& env.IS_STABLE == 'true' only publish to PyPI for stable GitHub releases (no RC/alpha/beta) if: github.event_name == 'release' #&& env.IS_STABLE == 'true' - uses: pypa/gh-action-pypi-publish@7f25271a4aa483500f742f9492b2ab5648d61011 # v1.12.4 + uses: pypa/gh-action-pypi-publish@release/v1 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} From b626f6756abff0553b3d272cee8663e2cc8215bf Mon Sep 17 00:00:00 2001 From: Serhii Kupriienko <61395455+skupriienko@users.noreply.github.com> Date: Tue, 24 Jun 2025 13:22:47 +0300 Subject: [PATCH 11/11] Bump version to v1.0.2 --- mailgun/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailgun/_version.py b/mailgun/_version.py index c3392f2..bb35ee1 100644 --- a/mailgun/_version.py +++ b/mailgun/_version.py @@ -1 +1 @@ -__version__ = "1.0.2rc1" \ No newline at end of file +__version__ = "1.0.2" \ No newline at end of file