Merge branch 'main' into msl-auth

Author: MattyTheHacker

.github/renovate.json

@@ -20,6 +20,11 @@
         "replacements:all",
         "workarounds:all"
     ],
+    "gitIgnoredAuthors": [
+        "autofix-ci@users.noreply.github.com",
+        "autofix-ci[bot]@users.noreply.github.com",
+        "114827586+autofix-ci[bot]@users.noreply.github.com"
+    ],
     "labels": [
         "dependencies"
     ],

.github/workflows/autofix-pre-commit.yaml

@@ -0,0 +1,73 @@
+name: autofix.ci
+
+"on":
+    pull_request:
+        branches: [main]
+    workflow_call:
+        inputs:
+            skip-autofix:
+                default: false
+                required: false
+                type: boolean
+
+permissions:
+    contents: read
+
+jobs:
+    autofix-pre-commit:
+        env:
+            UV_FROZEN: true
+            UV_NO_SYNC: true
+            UV_PYTHON_DOWNLOADS: never
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Add GB Locale
+              run: |
+                sudo apt-get update
+                sudo apt-get install -y locales
+                sudo locale-gen en_GB.UTF-8
+              shell: bash
+
+            - name: Set Up Python
+              uses: actions/setup-python@v6
+              with:
+                python-version-file: .python-version
+
+            - name: Install uv
+              uses: astral-sh/setup-uv@v8.1.0
+              with:
+                enable-cache: true
+
+            - name: Install prek From Locked Dependencies
+              run: uv sync --only-group pre-commit
+
+            - id: store-hashed-python-version
+              name: Store Hashed Python Version
+              run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)"
+                >> "$GITHUB_OUTPUT"
+
+            - uses: actions/cache@v5
+              with:
+                key: prek|${{steps.store-hashed-python-version.outputs.hashed_python_version}}|${{hashFiles('.pre-commit-config.yaml')}}
+                path: ~/.cache/prek
+
+            - name: Setup pre-commit Environments
+              run: uv run -- prek install-hooks
+
+            - name: Run prek
+              run: |
+                set -o pipefail
+                if [[ "${{github.event_name}}" == "push" && "${{github.ref_name}}" == "${{github.event.repository.default_branch}}" ]]; then
+                    uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock --skip gitlint-ci | tee /tmp/prek.log
+                else
+                    uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock | tee /tmp/prek.log
+                fi
+
+            - name: Ensure No Warnings
+              run: "if grep -q '^warning: ' /tmp/prek.log; then exit 1; fi"
+
+            - if: "!cancelled() && inputs.skip-autofix != true"
+              uses: autofix-ci/action@v1.3.4

.github/workflows/check-build-deploy.yaml

@@ -7,6 +7,9 @@ name: Check, Build and Deploy
         branches: [main]
         tags: [v*]
 
+permissions:
+    contents: read
+
 jobs:
     uv-check:
         runs-on: ubuntu-latest
@@ -15,7 +18,7 @@ jobs:
             - uses: actions/checkout@v6
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -38,7 +41,7 @@ jobs:
                 python-version: 3.14
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -69,7 +72,7 @@ jobs:
                 python-version-file: .python-version
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -110,62 +113,9 @@ jobs:
                 uv run -- mypy "${ARGS[@]}"
 
     pre-commit:  # yamllint disable-line rule:key-ordering
-        env:
-            UV_FROZEN: true
-            UV_NO_SYNC: true
-            UV_PYTHON_DOWNLOADS: never
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/checkout@v6
-
-            - name: Add GB Locale
-              run: |
-                sudo apt-get update
-                sudo apt-get install -y locales
-                sudo locale-gen en_GB.UTF-8
-              shell: bash
-
-            - name: Set Up Python
-              uses: actions/setup-python@v6
-              with:
-                python-version-file: .python-version
-
-            - name: Install uv
-              uses: astral-sh/setup-uv@v7
-              with:
-                enable-cache: true
-
-            - name: Install prek From Locked Dependencies
-              run: uv sync --only-group pre-commit
-
-            - id: store-hashed-python-version
-              name: Store Hashed Python Version
-              run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)"
-                >> "$GITHUB_OUTPUT"
-
-            - uses: actions/cache@v5
-              with:
-                key: prek|${{steps.store-hashed-python-version.outputs.hashed_python_version}}|${{hashFiles('.pre-commit-config.yaml')}}
-                path: ~/.cache/prek
-
-            - name: Setup pre-commit Environments
-              run: uv run -- prek install-hooks
-
-            - name: Run prek
-              run: |
-                set -o pipefail
-                if [[ "${{github.event_name}}" == "push" && "${{github.ref_name}}" == "${{github.event.repository.default_branch}}" ]]; then
-                    uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock --skip gitlint-ci | tee /tmp/prek.log
-                else
-                    uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock | tee /tmp/prek.log
-                fi
-
-            - name: Ensure No Warnings
-              run: "if grep -q '^warning: ' /tmp/prek.log; then exit 1; fi"
-
-            - if: ${{!cancelled()}}
-              uses: pre-commit-ci/lite-action@v1.1.0
+        uses: ./.github/workflows/autofix-pre-commit.yaml
+        with:
+            skip-autofix: true
 
     pymarkdown:  # yamllint disable-line rule:key-ordering
         env:
@@ -183,7 +133,7 @@ jobs:
                 python-version-file: .python-version
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -212,7 +162,7 @@ jobs:
                 python-version-file: .python-version
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -240,7 +190,7 @@ jobs:
 
             - if: ${{!cancelled()}}
               name: Upload coverage report to Codecov
-              uses: codecov/codecov-action@v5
+              uses: codecov/codecov-action@v6
               with:
                 use_oidc: true
 
@@ -260,7 +210,7 @@ jobs:
                 python-version-file: .python-version
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v8.1.0
               with:
                 enable-cache: true
 
@@ -289,26 +239,26 @@ jobs:
             == 'CSSUoB/TeX-Bot-Py-V2'
         needs: [mypy, pre-commit, pymarkdown, pytest, ruff-lint, uv-check]
         permissions:
+            artifact-metadata: write
             attestations: write
-            contents: read
             id-token: write
             packages: write
         runs-on: ubuntu-latest
 
         steps:
             - name: Log in to the Container registry
-              uses: docker/login-action@v3.7.0
+              uses: docker/login-action@v4.1.0
               with:
                 password: ${{secrets.GITHUB_TOKEN}}
                 registry: ${{env.REGISTRY}}
                 username: ${{github.actor}}
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+              uses: docker/setup-buildx-action@v4
 
             - id: docker-extract-metadata
               name: Extract metadata (tags, labels) for Docker
-              uses: docker/metadata-action@v5.10.0
+              uses: docker/metadata-action@v6.0.0
               with:
                 images: ${{env.REGISTRY}}/${{env.IMAGE_NAME}}
                 tags: |-
@@ -320,14 +270,14 @@ jobs:
 
             - id: build-and-publish
               name: Build and Publish
-              uses: docker/build-push-action@v6
+              uses: docker/build-push-action@v7
               with:
                 labels: ${{steps.docker-extract-metadata.outputs.labels}}
                 push: true
                 tags: ${{steps.docker-extract-metadata.outputs.tags}}
 
             - name: Generate Artifact Attestation
-              uses: actions/attest-build-provenance@v3
+              uses: actions/attest-build-provenance@v4
               with:
                 push-to-registry: true
                 subject-digest: ${{steps.build-and-publish.outputs.digest}}

.github/workflows/pr-auto-updater.yaml

@@ -13,7 +13,7 @@ jobs:
         steps:
             - id: generate-token
               name: Generate Access Token
-              uses: actions/create-github-app-token@v2
+              uses: actions/create-github-app-token@v3
               with:
                 app-id: ${{vars.PR_AUTO_UPDATE_CLIENT_ID}}
                 private-key: ${{secrets.PR_AUTO_UPDATE_PRIVATE_KEY}}

.github/workflows/prevent-migrations-deletion.yaml

@@ -12,7 +12,7 @@ jobs:
 
         steps:
             - name: Prevent migrations files being changed or deleted
-              uses: xalvarez/prevent-file-change-action@v3.0.0
+              uses: xalvarez/prevent-file-change-action@v3.0.1
               with:
                 allowNewFiles: true
                 githubToken: ${{secrets.GITHUB_TOKEN}}

.pre-commit-config.yaml

@@ -5,23 +5,23 @@ default_stages: [pre-commit, pre-merge-commit, manual]
 
 repos:
     - repo: https://github.com/astral-sh/uv-pre-commit
-      rev: 0.10.3
+      rev: 0.11.13
       hooks:
         - id: uv-lock
           always_run: true
 
     - repo: https://github.com/gitleaks/gitleaks
-      rev: v8.30.0
+      rev: v8.30.1
       hooks:
         - id: gitleaks
 
     - repo: https://github.com/codespell-project/codespell
-      rev: v2.4.1
+      rev: v2.4.2
       hooks:
         - id: codespell
 
     - repo: https://github.com/tombi-toml/tombi-pre-commit
-      rev: v0.7.29
+      rev: v0.11.2
       hooks:
         - id: tombi-format
         - id: tombi-lint
@@ -32,7 +32,7 @@ repos:
         - id: sync-with-uv
 
     - repo: https://github.com/rhysd/actionlint
-      rev: v1.7.11
+      rev: v1.7.12
       hooks:
         - id: actionlint
           additional_dependencies: [github.com/wasilibs/go-shellcheck/cmd/shellcheck@latest]  # yamllint disable-line rule:key-ordering
@@ -56,14 +56,14 @@ repos:
           args: [--strict]
 
     - repo: https://github.com/renovatebot/pre-commit-hooks
-      rev: 43.19.2
+      rev: 43.150.0
       hooks:
         - id: renovate-config-validator
           args: [--strict]
           stages: [manual]
 
     - repo: https://github.com/python-jsonschema/check-jsonschema
-      rev: 0.36.2
+      rev: 0.37.2
       hooks:
         - id: check-jsonschema
           args: [--schemafile, 'https://json.schemastore.org/yamllint.json']  # yamllint disable-line rule:quoted-strings
@@ -116,7 +116,7 @@ repos:
           args: [--autofix]
 
     - repo: https://github.com/astral-sh/ruff-pre-commit
-      rev: v0.15.1
+      rev: v0.15.12
       hooks:
         - id: ruff-check
           args: [--fix]

Dockerfile

@@ -22,13 +22,17 @@ COPY cogs/ /app/cogs/
 
 FROM python:3.13-slim-trixie
 
+RUN groupadd --system --gid 999 nonroot && useradd --system --gid 999 --uid 999 --create-home nonroot
+
 LABEL org.opencontainers.image.source=https://github.com/CSSUoB/TeX-Bot-Py-V2
 LABEL org.opencontainers.image.licenses=Apache-2.0
 
-COPY --from=builder --chown=app:app /app /app
+COPY --from=builder --chown=nonroot:nonroot /app /app
 
 ENV LANG=C.UTF-8 PATH="/app/.venv/bin:$PATH"
 
 WORKDIR /app
 
+USER nonroot
+
 ENTRYPOINT ["python", "-m", "main"]