diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 423d4b3f..e91d6109 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 allow: - dependency-type: 'all' versioning-strategy: 'auto' @@ -21,6 +23,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: ## prefix maximum string length of 15 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 46e29b82..c32a4c52 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -34,6 +34,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -58,6 +60,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -82,6 +86,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,6 +112,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -142,6 +150,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -192,6 +202,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -270,6 +282,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6215ce44..52f265cc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +73,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,18 +110,19 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases app-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} - name: Get GitHub App User ID id: release-bot-user-id - run: | - set -xeu - echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: + APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }} GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + run: | + set -xeu + echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - name: Checkout code # see https://github.com/actions/checkout @@ -125,6 +130,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} + persist-credentials: false - name: Setup python # see https://github.com/actions/setup-python diff --git a/CHANGELOG.md b/CHANGELOG.md index 86d6a872..0e19c498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ +## v11.7.1-alpha.1 (2026-05-04) + +### Bug Fixes + +- Add persist-credentials: false to release job checkout + ([`1a8dae3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a8dae399dd97c4829cdd04657b4b7de005ae118)) + +- Address all zizmor security findings in GitHub Actions workflows + ([`5b2cb0b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/5b2cb0ba371d402ece0f87ba89d925cb4d42ae5e)) + +- Pin actions/create-github-app-token to commit hash + ([`f959774`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/f959774e7308966fab7fbde8f50851ea267a9c0f)) + +- Revert persist-credentials in release checkout (untested combination) + ([`1a42e8e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a42e8ead629c9fedf9e389a1226fee87299af1b)) + +### Documentation + +- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), + [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) + + ## v11.7.0 (2026-03-17) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index ff9bd20b..4c9c9ca9 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.7.0" # noqa:Q000 +__version__ = "11.7.1-alpha.1" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 31daedd8..8fe009c1 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.7.0' +release = '11.7.1-alpha.1' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 532b1e6c..33f62cba 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.7.0" +version = "11.7.1-alpha.1" description = "Python library for CycloneDX" authors = [ "Paul Horton ", @@ -146,15 +146,15 @@ exclude_commit_patterns = [ match = "(main|master)" prerelease = false -[tool.semantic_release.branches."step"] -match = "(build|chore|ci|docs|feat|fix|perf|style|refactor|tests?)" -prerelease = true -prerelease_token = "alpha" - [tool.semantic_release.branches."major-dev"] match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)" prerelease = true prerelease_token = "rc" +[tool.semantic_release.branches.fallback] +match = ".*" +prerelease = true +prerelease_token = "alpha" + [tool.deptry] extend_exclude = ["docs", "examples", "package_aliases", "tools"]