chore(deps): pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	pinDigest	-> 5a3ec84
actions/checkout	action	pinDigest	-> 11bd719
actions/delete-package-versions	action	pinDigest	-> e5bc658
actions/dependency-review-action	action	pinDigest	-> da24556
actions/setup-node	action	pinDigest	-> 49933ea
actions/setup-python	action	pinDigest	-> a26af69
actions/upload-artifact	action	pinDigest	-> ea165f8
alstr/todo-to-issue-action	action	pinDigest	-> 3bd536e
codecov/codecov-action	action	pinDigest	-> 18283e0
codecov/test-results-action	action	pinDigest	-> 47f89e9
dependabot/fetch-metadata	action	pinDigest	-> 0fb2170
docker/build-push-action	action	pinDigest	-> 2634353
docker/login-action	action	pinDigest	-> 74a5d14
docker/metadata-action	action	pinDigest	-> 902fa8e
docker/setup-buildx-action	action	pinDigest	-> e468171
docker/setup-qemu-action	action	pinDigest	-> 2910929
github/codeql-action	action	pinDigest	-> ce28f5b
jakebailey/pyright-action	action	pinDigest	-> b5d50e5
lewagon/wait-on-check-action	action	pinDigest	-> ccfb013
poetry-types	dev	pin	^0.6.0 -> 0.6.0
pre-commit	dev	pin	>=4.0.0 -> ==4.2.0
pyright	dev	pin	>=1.1.358 -> ==1.1.402
python	final	pinDigest	-> 6b3223e
python	stage	pinDigest	-> 6b3223e
raven-actions/actionlint	action	pinDigest	-> 789059c
ruff (source, changelog)	dev	pin	>=0.8.0 -> ==0.12.0
softprops/action-gh-release	action	pinDigest	-> 72f2c25
tj-actions/changed-files	action	pinDigest	-> a284dc1
yamlfix	dev	pin	^1.17.0 -> 1.17.0
yamllint	dev	pin	^1.37.1 -> 1.37.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide

This PR systematically replaces floating version references across CI/workflow configurations and project metadata with explicit SHA digests or exact version pins for improved reproducibility and security.

Flow diagram for dependency pinning process in CI

flowchart TD
    Start([Start: Floating/Unpinned Dependencies])
    Update[Update workflow and config files to use pinned versions and digests]
    PinActions[Pin GitHub Actions to specific SHAs]
    PinPython[Pin Python base image in Dockerfile to SHA256 digest]
    PinDevDeps[Pin dev dependencies in pyproject.toml to exact versions]
    End([End: All dependencies pinned])

    Start --> Update --> PinActions
    PinActions --> PinPython
    PinPython --> PinDevDeps
    PinDevDeps --> End

Loading

File-Level Changes

Change	Details	Files
Pin all GitHub Actions and composite action usages to specific SHA digests.	Replaced uses: …@vx with uses: …@ across all workflow files Updated Docker build, setup, login, metadata and other actions in .github/workflows Updated composite action references in .github/actions/*/action.yml	.github/workflows/docker.yml .github/workflows/ci.yml .github/workflows/security.yml .github/workflows/maintenance.yml .github/workflows/release.yml .github/workflows/tests.yml .github/workflows/deploy.yml .github/actions/setup-nodejs-markdown/action.yml .github/actions/setup-python/action.yml .github/actions/upload-coverage/action.yml
Pin Python base image in Dockerfile to a specific SHA256 digest.	Added @sha256 digest suffix to python:3.13.2-slim in both base and production stages	Dockerfile
Enforce exact version pins for development dependencies in project metadata.	Changed dev dependencies in pyproject.toml from range constraints to exact versions Updated poetry.lock to reflect the pinned dependency versions	pyproject.toml poetry.lock

Possibly linked issues

• #123: The PR pins dependencies and is listed as an open update in the dependency dashboard issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/jakebailey/pyright-action	b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe	🟢 3.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/23 approved changesets -- score normalized to 0 Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/raven-actions/actionlint	789059c543ab20522fb3e7240794e13b0f69ad67	Unknown	Unknown
actions/tj-actions/changed-files	a284dc1814e3fd07f2e34267fc8f81227ed29fb8	🟢 6.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 10 all dependencies are pinned Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/cache	5a3ec84eff668545956fd18022155c47e93e2684	🟢 6.1	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 2 2 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v1): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/delete-package-versions	e5bc658cc4c965c472efe991f8beea3981499c55	🟢 4.6	Details Check Score Reason Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 4/5 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected
actions/docker/build-push-action	263435318d21b8e681c14492fe198d362a7d2c83	🟢 5.7	Details Check Score Reason Maintained 🟢 10 28 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Code-Review 🟢 8 Found 8/9 approved changesets -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/docker/login-action	74a5d142397b4f367a81961eba4e8cd7edddf772	🟢 5.7	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 8 7 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 8 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 8 Found 4/5 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 8 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 Maintained 🟢 10 16 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/docker/setup-buildx-action	e468171a9de216ec08956ac3ada2f0791b6bd435	🟢 5.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 4 Found 3/7 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 21 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 7 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	ce28f5bb42b7a9f2c824e633a3f6ee835bab6858	Unknown	Unknown
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/delete-package-versions	e5bc658cc4c965c472efe991f8beea3981499c55	🟢 4.6	Details Check Score Reason Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 4/5 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected
actions/alstr/todo-to-issue-action	3bd536e14a2cbceeab1fadef96bea5f725ed4270	🟢 4.4	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 1 Found 3/21 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/lewagon/wait-on-check-action	ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc	🟢 4.9	Details Check Score Reason Code-Review ⚠️ 2 Found 6/24 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 8 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/softprops/action-gh-release	72f2c25fcb47643c292f7107632f7a47c1df5cd8	🟢 5.3	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 3 Found 6/17 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/dependency-review-action	da24556b548a50705dd671f47852072ea4c105d9	🟢 6.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/actions/upload-artifact	ea165f8d65b6e75b540449e92b4886f43607fa02	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/dependabot/fetch-metadata	0fb21704c18a42ce5aa8d720ea4b912f5e6babef	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 27 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/github/codeql-action/analyze	ce28f5bb42b7a9f2c824e633a3f6ee835bab6858	Unknown	Unknown
actions/github/codeql-action/init	ce28f5bb42b7a9f2c824e633a3f6ee835bab6858	Unknown	Unknown
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/upload-artifact	ea165f8d65b6e75b540449e92b4886f43607fa02	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/tj-actions/changed-files	a284dc1814e3fd07f2e34267fc8f81227ed29fb8	🟢 6.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 10 all dependencies are pinned Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected

Scanned Files

• .github/workflows/ci.yml
• .github/workflows/deploy.yml
• .github/workflows/docker.yml
• .github/workflows/maintenance.yml
• .github/workflows/release.yml
• .github/workflows/security.yml
• .github/workflows/tests.yml

[cloudflare-workers-and-pages]

Deploying tux with    Cloudflare Pages

Latest commit:	71405cb
Status:	✅  Deploy successful!
Preview URL:	https://d2bfd35f.tux-afh.pages.dev
Branch Preview URL:	https://renovate-pin-dependencies.tux-afh.pages.dev

View logs

[anemoijereja-eden]

looks fine. pins everything to set versions as it says. this is a good improvement for build consistency. nothing really jumps out.