Tags: github-community-projects/contributors
Tags
chore(deps): bump cryptography from 46.0.6 to 46.0.7 (#451) Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.6...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump cryptography from 46.0.6 to 46.0.7 (#451) Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.6...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: compare sponsor_info as bool instead of string (#446) Relates to github-community-projects/cleanowners#373 ## What Changed the sponsor_info gate in contributors.py from a string comparison (`== "true"`) to a truthy check, and updated the test mock to return a bool to match what get_bool_env_var actually returns. ## Why get_bool_env_var returns a Python bool, but the comparison checked for the string "true". Since `True == "true"` is always False, sponsor information was never fetched regardless of the SPONSOR_INFO env var setting. ## Notes - markdown.py already has `_is_truthy()` that handles both types, so the rendering side was not affected — only the data fetch was skipped. - json_writer.py passes sponsor_info through without comparison, so it's also unaffected. Signed-off-by: jmeridth <jmeridth@gmail.com>
chore(deps): bump cryptography from 46.0.5 to 46.0.6 (#440) Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.6. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...46.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump requests from 2.32.5 to 2.33.0 (#438) Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build: switch from pip to uv for dependency management (#416) * build: switch from pip to uv for dependency management ## What Replace pip-based dependency management with uv across the project, consolidating requirements.txt and requirements-test.txt into pyproject.toml with a generated uv.lock. Add a workflow to keep uv.lock in sync on Dependabot PRs. ## Why uv provides faster installs, deterministic lockfile resolution, and a simpler single-tool workflow for dependency and virtualenv management. ## Notes - Dockerfile now copies uv binary from ghcr.io/astral-sh/uv:latest and uses uv sync --frozen --no-dev instead of pip install - CI workflows use astral-sh/setup-uv with caching enabled - test_contributors.py reformatted by black (with-statement style change) - Dependabot will update pyproject.toml but does not natively understand uv.lock, so update-uv-lock.yml auto-commits the regenerated lockfile back to Dependabot PR branches - If branch protection requires signed commits, the update-uv-lock workflow may need a GitHub App token instead of GITHUB_TOKEN - Update CI matrix to include python 3.13 and 3.14 Signed-off-by: jmeridth <jmeridth@gmail.com> * fix: address PR review feedback for uv migration ## What Pin the uv Docker image to a versioned digest, restore unbuffered Python output in the container, and update the super-linter workflow to use uv instead of the deleted requirements files. ## Why The review identified three issues: supply-chain risk from using a mutable :latest tag, loss of unbuffered stdout/stderr behavior needed for GitHub Actions log streaming, and the super-linter workflow still referencing the removed requirements.txt files. ## Notes - uv image pinned to 0.10.9@sha256:10902f58... — will need Dependabot or manual updates to rotate - PYTHONUNBUFFERED=1 replaces the previous python3 -u entrypoint flag Signed-off-by: jmeridth <jmeridth@gmail.com> * fix: address super-linter CI failures ## What Fix zizmor bot-conditions audit and codespell false positive on uv.lock. ## Why The zizmor audit flagged github.actor as spoofable since it refers to the last actor to modify the PR, not the creator. Codespell flagged "astroid" (a real Python package) in uv.lock as a misspelling of "asteroid". ## Notes - Replaced github.actor with github.event.pull_request.user.login which refers to the PR creator and cannot be spoofed by later commits - Added .codespellrc to ignore-words-list for "astroid" Signed-off-by: jmeridth <jmeridth@gmail.com> * fix: exclude .venv from jscpd duplicate detection ## What Add .venv to jscpd ignore list in the linter configuration. ## Why The uv sync step creates a .venv in the workspace during CI. jscpd was scanning vendored C files inside mypyc and reporting 50.58% duplication over the 50% threshold, failing the super-linter check. ## Notes - This only became an issue after switching to uv, which creates .venv in the workspace rather than installing into the system Python Signed-off-by: jmeridth <jmeridth@gmail.com> --------- Signed-off-by: jmeridth <jmeridth@gmail.com>
PreviousNext