Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 14 commits
- 20 files changed
- 5 contributors
Commits on Mar 5, 2026
-
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
-
Merge pull request #688 from github-community-projects/dependabot/git…
…hub_actions/actions/upload-artifact-7.0.0 chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
-
fix: harden pip install against supply chain attacks (#686)
Resolves code scanning alert #94 (pip install without hash verification). - Expand requirements.txt via pip-compile to pin all transitive dependencies to exact versions (5 top-level → 17 total packages) - Add --no-deps to Dockerfile pip install to prevent pip from resolving any packages beyond what is explicitly listed This follows the approach recommended in the Opengrep rule guidance: 'use pip install --no-deps -r requirements.txt when using pip-compile workflow.' With all transitive deps pinned and --no-deps preventing runtime dependency resolution, no unvetted packages can be introduced. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Commits on Mar 10, 2026
-
build: migrate from pip to uv for dependency management (#689)
* build: migrate from pip to uv for dependency management ## What Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs. ## Why uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors and cleanowners repos. ## Notes - CI matrix expanded to Python 3.11-3.14 - New update-uv-lock.yml workflow handles Dependabot PR lockfile sync - Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 - Added .codespellrc to ignore "astroid" (pylint dependency) - Added .venv to .jscpd.json ignore list Signed-off-by: jmeridth <jmeridth@gmail.com> * chore(deps): bump astral-sh/setup-uv from 5.4.1 to 7.3.1 ## What Updated the astral-sh/setup-uv GitHub Action from v5.4.1 (0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1 (5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files. ## Why Aligns with the same dependency bump applied in the contributors repo (PR #420) to keep all github-community-projects repos on a consistent setup-uv version. ## Notes - This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior - The v7.3.1 release adds support for running in containers like debian:testing/unstable Signed-off-by: jmeridth <jmeridth@gmail.com> * build: replace GITHUB_TOKEN with octo-sts token federation in update-uv-lock workflow ## What Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the update-uv-lock workflow, with a corresponding trust policy. ## Why Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs, so Dependabot PRs with uv.lock updates were not getting CI checks on the lockfile commit. ## Notes - Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml - Requires octo-sts app installed on the org (already present) Signed-off-by: jmeridth <jmeridth@gmail.com> * fix: ospo-reusable-workflows path Signed-off-by: jmeridth <jmeridth@gmail.com> --------- Signed-off-by: jmeridth <jmeridth@gmail.com>
Commits on Mar 12, 2026
-
chore(deps): bump python-dotenv from 1.2.1 to 1.2.2 in the dependenci…
…es group (#692) * chore(deps): bump python-dotenv in the dependencies group Bumps the dependencies group with 1 update: [python-dotenv](https://github.com/theskumar/python-dotenv). Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): update uv.lock Signed-off-by: octo-sts[bot] <801323+octo-sts[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: octo-sts[bot] <801323+octo-sts[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: octo-sts[bot] <801323+octo-sts[bot]@users.noreply.github.com>
-
chore(deps): bump types-pytz from 2025.2.0.20251108 to 2026.1.1.20260…
…304 (#693) Bumps [types-pytz](https://github.com/typeshed-internal/stub_uploader) from 2025.2.0.20251108 to 2026.1.1.20260304. - [Commits](https://github.com/typeshed-internal/stub_uploader/commits) --- updated-dependencies: - dependency-name: types-pytz dependency-version: 2026.1.1.20260304 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
-
-
fix: pin uv version and add caching to CI workflows (#691)
## What Pin uv to version 0.10.9 with caching enabled across all setup-uv action usages in CI workflows. Add concurrency groups to CI and linter workflows to cancel in-progress runs on new pushes. ## Why Unpinned uv versions can cause unexpected CI breakage when new releases introduce breaking changes. Caching speeds up workflow runs. Concurrency cancellation avoids wasting CI resources on outdated pushes. ## Notes - Mirrors changes from github-community-projects/evergreen#496 - The concurrency block only applies to CI and linter workflows, not to copilot-setup-steps or update-uv-lock workflows Signed-off-by: jmeridth <jmeridth@gmail.com>
Commits on Mar 13, 2026
-
ci: add mark-ready-when-ready workflow (#699)
Automatically marks draft PRs as ready for review once all required checks pass when the 'Mark Ready When Ready' label is applied. Uses kenyonj/mark-ready-when-ready action with the contents:write permission fix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Commits on Mar 14, 2026
-
fix: add --project flag to uv entrypoint for GitHub Actions compatibi…
…lity (#700) Signed-off-by: Jason Meridth <jmeridth@gmail.com> Signed-off-by: jmeridth <jmeridth@gmail.com>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v4.1.0...v4.1.1