tryolabs · bmos · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,8 +10,9 @@ updates:
     schedule:
       interval: monthly
     ignore:
-      - dependency-name: ruff
       - dependency-name: bandit
+      - dependency-name: ruff
+      - dependency-name: ssort
 
   - package-ecosystem: github-actions
     directory: /

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
           - python
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -36,15 +36,16 @@ jobs:
             github.com:443
             objects.githubusercontent.com:443
             uploads.github.com:443
+            release-assets.githubusercontent.com
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
-      - uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee
+      - uses: github/codeql-action/init@e12f0178983d466f2f6028f5cc7a6d786fd97f4b
         with:
           languages: ${{ matrix.language }}
 
-      - uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee
+      - uses: github/codeql-action/autobuild@e12f0178983d466f2f6028f5cc7a6d786fd97f4b
 
-      - uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee
+      - uses: github/codeql-action/analyze@e12f0178983d466f2f6028f5cc7a6d786fd97f4b
         with:
           category: /language:${{matrix.language}}
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -13,19 +13,19 @@ on:
 permissions: read-all
 
 jobs:
-  test:
+  pytest:
     name: Pytest testing
 
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         python-version:
-          - '3.9'
           - '3.10'
           - '3.11'
           - '3.12'
           - '3.13'
+          - '3.14'
         os:
           - ubuntu-latest
           - windows-latest
@@ -35,19 +35,19 @@ jobs:
       contents: write
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: false
           egress-policy: audit
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
@@ -57,8 +57,7 @@ jobs:
           path: .pytest_cache
           key: ${{ runner.os }}-pytest-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
 
-      - name: Run pytest (with headless support)
-        uses: GabrielBB/xvfb-action@5bcda06da84ba084708898801da79736b88e00a9
+      - uses: GabrielBB/xvfb-action@5bcda06da84ba084708898801da79736b88e00a9
         env:
           COVERAGE_FILE: .coverage.${{ runner.os }}.${{ matrix.python-version }}
         with:
@@ -76,7 +75,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -85,14 +84,14 @@ jobs:
             github.com:443
             pypi.org:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.13'
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
@@ -114,7 +113,7 @@ jobs:
       security-events: write
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -124,14 +123,14 @@ jobs:
             github.com:443
             pypi.org:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.13'
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
@@ -145,7 +144,7 @@ jobs:
         run: |
           ruff check --output-format=sarif -o results.sarif .
 
-      - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee
+      - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b
         if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome)
         with:
           sarif_file: results.sarif
@@ -161,7 +160,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -171,14 +170,14 @@ jobs:
             github.com:443
             pypi.org:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.13'
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
@@ -201,7 +200,7 @@ jobs:
       security-events: write
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -211,22 +210,22 @@ jobs:
             github.com:443
             pypi.org:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.13'
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
       - id: run-bandit-sarif
         run: |
           bandit --confidence-level 'medium' --format 'sarif' --output 'results.sarif' --recursive 'requestium'
 
-      - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee
+      - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b
         if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome)
         with:
           sarif_file: results.sarif
@@ -238,12 +237,12 @@ jobs:
 
   coverage:
     runs-on: ubuntu-latest
-    needs: test
+    needs: pytest
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -252,16 +251,16 @@ jobs:
             github.com:443
             img.shields.io:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
         with:
           pattern: coverage-*
           merge-multiple: true
 
       - name: Coverage comment
         id: coverage_comment
-        uses: py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11
+        uses: py-cov-action/python-coverage-comment-action@e623398c19eb3853a5572d4a516e10b15b5cefbc
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MERGE_COVERAGE_FILES: true
@@ -283,7 +282,7 @@ jobs:
       contents: write
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2
         with:
           disable-sudo: true
           egress-policy: block
@@ -293,22 +292,22 @@ jobs:
             proxy.golang.org:443
             pypi.org:443
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.13'
           cache: pip
 
-      - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93
+      - uses: install-pinned/uv@3b52ff50f07de12f5ebcdd31d078466611a008a6
 
       - run: uv pip install --system -e .[dev]
 
       - id: cache-pre-commit
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           path: .pre-commit-cache
-          key: ${{ runner.os }}-pre-commit-3.13
+          key: ${{ runner.os }}-pre-commit-3.13-${{ hashFiles('.pre-commit-config.yaml') }}
 
       - name: Run pre-commit on all files
         run: |

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
     - repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: 'v5.0.0'
+      rev: 'v6.0.0'
       hooks:
           - id: check-yaml
           - id: check-ast
@@ -13,19 +13,18 @@ repos:
           - id: check-toml
           - id: debug-statements
           - id: mixed-line-ending
-    - repo: https://github.com/asottile/pyupgrade
-      rev: 'v3.19.1'
+    - repo: https://github.com/bwhmather/ssort
+      rev: 0.15.0
       hooks:
-          - id: pyupgrade
-            args: ['--py39-plus']
+          - id: ssort
     - repo: https://github.com/astral-sh/ruff-pre-commit
-      rev: 'v0.11.11'
+      rev: 'v0.14.7'
       hooks:
           - id: ruff
           - id: ruff-format
     - repo: https://github.com/PyCQA/bandit
-      rev: '1.8.3'
+      rev: '1.9.2'
       hooks:
           - id: bandit
             args: ['--confidence-level', 'medium']
-            files: '^requestium'
+            files: '^src'