Release v1.0.2

.github/workflows/commit_checks.yaml

@@ -7,15 +7,18 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.12'  # Specify a Python version explicitly
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
   test:
     name: test py${{ matrix.python-version }} on ${{ matrix.os }}
@@ -32,11 +35,11 @@ jobs:
       APIKEY: ${{ secrets.APIKEY }}
       DOMAIN: ${{ secrets.DOMAIN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0  # Required for setuptools-scm
 
-      - uses: conda-incubator/setup-miniconda@v3
+      - uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f # v3.2.0
         with:
           python-version: ${{ matrix.python-version }}
           channels: defaults

.github/workflows/issue-triage.yml

@@ -4,14 +4,17 @@ on:
   issues:
     types: [opened, labeled, unlabeled, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     runs-on: ubuntu-latest
     permissions:
       issues: write
     steps:
       - name: Initial triage
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/pr_validation.yml

@@ -4,16 +4,19 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.12'
 

.github/workflows/publish.yml

@@ -7,19 +7,22 @@ on:
     types: [published]  # Triggers when a GitHub release is published
   workflow_dispatch:  # Manual trigger
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
       contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.12'
 

.pre-commit-config.yaml

@@ -67,7 +67,7 @@ repos:
         exclude: ^tests
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.33.0
+    rev: 0.33.1
     hooks:
       - id: check-github-workflows
 
@@ -93,7 +93,7 @@ repos:
           - --ignore-init-module-imports
 
   - repo: https://github.com/pycqa/flake8
-    rev: 7.2.0
+    rev: 7.3.0
     hooks:
     -   id: flake8
         additional_dependencies:
@@ -104,21 +104,21 @@ repos:
         exclude: ^tests
 
   - repo: https://github.com/PyCQA/pylint
-    rev: v3.3.6
+    rev: v3.3.7
     hooks:
       - id: pylint
         args:
           - --exit-zero
 
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.19.1
+    rev: v3.20.0
     hooks:
       - id: pyupgrade
         args: [--py39-plus, --keep-runtime-typing]
 
   - repo: https://github.com/charliermarsh/ruff-pre-commit
     # Ruff version.
-    rev: v0.11.6
+    rev: v0.12.0
     hooks:
       # Run the linter.
       - id: ruff
@@ -133,7 +133,7 @@ repos:
 #          language_version: python3.13
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.15.0
+    rev: v1.16.1
     hooks:
     -   id: mypy
         args:
@@ -143,12 +143,12 @@ repos:
         exclude: ^mailgun/examples/
 
   - repo: https://github.com/RobertCraigie/pyright-python
-    rev: v1.1.399
+    rev: v1.1.402
     hooks:
     - id: pyright
 
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.3
+    rev: 1.8.5
     hooks:
       - id: bandit
         args: ["-c", "pyproject.toml", "-r", "."]
@@ -157,7 +157,7 @@ repos:
         additional_dependencies: [".[toml]"]
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.31.1
+    rev: v1.33.1
     hooks:
       - id: typos
 

CHANGELOG.md

@@ -4,6 +4,24 @@ We [keep a changelog.](http://keepachangelog.com/)
 
 ## [Unreleased]
 
+## [1.0.2] - 2025-06-24
+
+### Changed
+
+- docs: Minor clean up in README.md
+- ci: Update pre-commit hooks to the latest versions
+
+### Security
+
+- docs: Add the Security Policy file SECURITY.md
+- ci: Use permissions: contents: read in all CI workflow files explicitly
+- ci: Use commit hashes to ensure reproducible builds
+- build: Update dependency pinning: requests>=2.32.4
+
+### Pull Requests Merged
+
+- [PR_13](https://github.com/mailgun/mailgun-python/pull/13) - Release v1.0.2: Improve CI workflows & packaging
+
 ## [1.0.1] - 2025-05-27
 
 ### Changed
@@ -33,4 +51,5 @@ We [keep a changelog.](http://keepachangelog.com/)
 
 [1.0.0]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.0
 [1.0.1]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.1
-[unreleased]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.1...HEAD
+[1.0.2]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.2
+[unreleased]: https://github.com/mailgun/mailgun-python/releases/tag/v1.0.2...HEAD

README.md

@@ -250,7 +250,6 @@ Pass the components of the messages such as To, From, Subject, HTML and text par
 
 ```python
 import os
-from pathlib import Path
 from mailgun.client import Client
 
 key: str = os.environ["APIKEY"]

SECURITY.md

@@ -0,0 +1,82 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0 | :x:                |
+
+# Vulnerability Disclosure
+
+If you think you have found a potential security vulnerability in
+mailgun, please open a [draft Security Advisory](https://github.com/mailgun/mailgun-python/security/advisories/new)
+via GitHub. We will coordinate verification and next steps through
+that secure medium.
+
+If English is not your first language, please try to describe the
+problem and its impact to the best of your ability. For greater detail,
+please use your native language and we will try our best to translate it
+using online services.
+
+Please also include the code you used to find the problem and the
+shortest amount of code necessary to reproduce it.
+
+Please do not disclose this to anyone else. We will retrieve a CVE
+identifier if necessary and give you full credit under whatever name or
+alias you provide. We will only request an identifier when we have a fix
+and can publish it in a release.
+
+We will respect your privacy and will only publicize your involvement if
+you grant us permission.
+
+## Process
+
+This following information discusses the process the project
+follows in response to vulnerability disclosures. If you are disclosing
+a vulnerability, this section of the documentation lets you know how we
+will respond to your disclosure.
+
+### Timeline
+
+When you report an issue, one of the project members will respond to you
+within five days *at the outside*. In most cases responses will be
+faster, usually within 48 hours. This initial response will at the very
+least confirm receipt of the report.
+
+If we were able to rapidly reproduce the issue, the initial response
+will also contain confirmation of the issue. If we are not, we will
+often ask for more information about the reproduction scenario.
+
+Our goal is to have a fix for any vulnerability released within two
+weeks of the initial disclosure. This may potentially involve shipping
+an interim release that simply disables function while a more mature fix
+can be prepared, but will in the vast majority of cases mean shipping a
+complete release as soon as possible.
+
+Throughout the fix process we will keep you up to speed with how the fix
+is progressing. Once the fix is prepared, we will notify you that we
+believe we have a fix. Often we will ask you to confirm the fix resolves
+the problem in your environment, especially if we are not confident of
+our reproduction scenario.
+
+At this point, we will prepare for the release. We will obtain a CVE
+number if one is required, providing you with full credit for the
+discovery. We will also decide on a planned release date, and let you
+know when it is. This release date will *always* be on a weekday.
+
+At this point we will reach out to our major downstream packagers to
+notify them of an impending security-related patch so they can make
+arrangements. In addition, these packagers will be provided with the
+intended patch ahead of time, to ensure that they are able to promptly
+release their downstream packages.
+
+On release day, we will push the patch to our public repository, along
+with an updated changelog that describes the issue and credits you. We
+will then issue a PyPI release containing the patch.
+
+At this point, we will publicise the release.
+
+We will also explicitly mention which commits contain the fix to make it
+easier for other distributors and users to easily patch their own
+versions of mailgun if upgrading is not an option.

environment-dev.yaml

@@ -10,7 +10,7 @@ dependencies:
   # PyPi only
   - python-build
   # runtime deps
-  - requests >=2.32.3
+  - requests >=2.32.4
   # tests
   - conda-forge::pyfakefs
   - coverage >=4.5.4

environment.yaml

@@ -7,7 +7,7 @@ dependencies:
   # build & host deps
   - pip
   # runtime deps
-  - requests >=2.32.3
+  - requests >=2.32.4
   # tests
   - pytest >=7.0.0
   # other

mailgun/_version.py

@@ -1 +1 @@
-__version__ = "1.0.0"
+__version__ = "1.0.2"

pyproject.toml

@@ -38,7 +38,7 @@ license = {text = "Apache-2.0"}
 readme = "README.md"
 requires-python = ">=3.9"
 
-dependencies = ["requests>=2.32.3"]
+dependencies = ["requests>=2.32.4"]
 
 keywords = [
         "Python SDK for Mailgun",