Add automated security update workflows

New workflows:
- security-updates.yml: Weekly automated security scanning and PR creation
- dependabot-auto-merge.yml: Auto-merge Dependabot PRs after tests pass
- dependabot.yml: Configure Dependabot for Python and GitHub Actions

Features:
- Scans dependencies with pip-audit and safety
- Automatically creates PRs with security fixes
- Runs full test suite before merging
- Auto-bumps version for security releases
- Creates GitHub releases automatically
- Publishes to PyPI via existing workflow

Schedule:
- Runs every Monday at 2 AM UTC
- Can be triggered manually
- Responds to Dependabot alerts immediately

Author: StasonJatham

.github/dependabot.yml

@@ -0,0 +1,36 @@
+version: 2
+updates:
+  # Enable version updates for Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "02:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "PigeonSec"
+    labels:
+      - "dependencies"
+      - "automated"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Group minor and patch updates together
+    groups:
+      production-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Enable security updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,121 @@
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+    branches: [ master ]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e .
+        pip install pytest
+
+    - name: Run unit tests
+      id: unit_tests
+      run: |
+        pytest tests/test_validator.py -v --tb=short
+        echo "unit_tests_passed=true" >> $GITHUB_OUTPUT
+
+    - name: Run CLI tests
+      id: cli_tests
+      run: |
+        pytest tests/test_cli.py -v --tb=short
+        echo "cli_tests_passed=true" >> $GITHUB_OUTPUT
+
+    - name: Check if security update
+      id: check_security
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        PR_BODY=$(gh pr view ${{ github.event.pull_request.number }} --json body --jq .body)
+
+        if echo "$PR_BODY" | grep -iq "security"; then
+          echo "is_security_update=true" >> $GITHUB_OUTPUT
+          echo "🔒 This is a security update"
+        else
+          echo "is_security_update=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Auto-approve and merge
+      if: steps.unit_tests.outputs.unit_tests_passed == 'true' && steps.cli_tests.outputs.cli_tests_passed == 'true'
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        # Approve the PR
+        gh pr review ${{ github.event.pull_request.number }} --approve --body "✅ All tests passed. Auto-approving Dependabot PR."
+
+        # Enable auto-merge
+        gh pr merge ${{ github.event.pull_request.number }} --auto --squash --delete-branch
+
+        echo "✅ Auto-merge enabled for Dependabot PR #${{ github.event.pull_request.number }}"
+
+    - name: Create release if security update
+      if: |
+        steps.unit_tests.outputs.unit_tests_passed == 'true' &&
+        steps.cli_tests.outputs.cli_tests_passed == 'true' &&
+        steps.check_security.outputs.is_security_update == 'true'
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        # Wait for PR to merge
+        sleep 10
+
+        # Get current version
+        VERSION=$(python -c "import re; content=open('pyresolvers/lib/core/__version__.py').read(); print(re.search(r\"'([^']+)'\", content).group(1))")
+
+        # Calculate new patch version
+        IFS='.' read -ra PARTS <<< "$VERSION"
+        MAJOR="${PARTS[0]}"
+        MINOR="${PARTS[1]}"
+        PATCH="${PARTS[2]}"
+        NEW_PATCH=$((PATCH + 1))
+        NEW_VERSION="$MAJOR.$MINOR.$NEW_PATCH"
+
+        # Update version file
+        echo "__version__ = '$NEW_VERSION'" > pyresolvers/lib/core/__version__.py
+
+        # Commit and push
+        git config --local user.email "github-actions[bot]@users.noreply.github.com"
+        git config --local user.name "github-actions[bot]"
+        git add pyresolvers/lib/core/__version__.py
+        git commit -m "Bump version to $NEW_VERSION for security update"
+        git push
+
+        # Create tag
+        git tag -a "v$NEW_VERSION" -m "Security update v$NEW_VERSION"
+        git push --tags
+
+        # Create GitHub release (this will trigger PyPI publish)
+        gh release create "v$NEW_VERSION" \
+          --title "v$NEW_VERSION - Security Update" \
+          --notes "## Security Update
+
+This release includes security dependency updates from Dependabot.
+
+### Changes
+- Security dependency updates
+- All tests passed ✅
+
+### Automated Release
+This release was automatically created after Dependabot's security updates passed all tests.
+
+See PR #${{ github.event.pull_request.number }} for details."
+
+        echo "✅ Created release v$NEW_VERSION"

.github/workflows/security-updates.yml

@@ -0,0 +1,195 @@
+name: Security Updates
+
+on:
+  schedule:
+    # Run every Monday at 2 AM UTC
+    - cron: '0 2 * * 1'
+  workflow_dispatch:  # Allow manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e .
+        pip install pytest pip-audit safety
+
+    - name: Run security audit with pip-audit
+      id: pip_audit
+      continue-on-error: true
+      run: |
+        pip-audit --desc > security-report.txt 2>&1 || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
+        cat security-report.txt
+
+    - name: Check for vulnerabilities with Safety
+      id: safety_check
+      continue-on-error: true
+      run: |
+        safety check --json > safety-report.json 2>&1 || echo "safety_issues=true" >> $GITHUB_OUTPUT
+
+    - name: Attempt to fix vulnerabilities
+      if: steps.pip_audit.outputs.vulnerabilities_found == 'true' || steps.safety_check.outputs.safety_issues == 'true'
+      id: fix_vulnerabilities
+      run: |
+        # Upgrade all dependencies to latest secure versions
+        pip list --outdated --format=json | python -c "
+        import json, sys
+        packages = json.load(sys.stdin)
+        for pkg in packages:
+            print(pkg['name'])
+        " > outdated.txt
+
+        # Read requirements and upgrade
+        if [ -f "requirements.txt" ]; then
+          while IFS= read -r package; do
+            if [ ! -z "$package" ]; then
+              pip install --upgrade "$package" || true
+            fi
+          done < outdated.txt
+
+          # Freeze new versions
+          pip freeze | grep -v "pyresolvers" > requirements-new.txt
+          mv requirements-new.txt requirements.txt
+
+          echo "updated=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Run all tests
+      if: steps.fix_vulnerabilities.outputs.updated == 'true'
+      id: run_tests
+      run: |
+        pytest tests/test_validator.py -v --tb=short
+        pytest tests/test_cli.py -v --tb=short
+        echo "tests_passed=true" >> $GITHUB_OUTPUT
+
+    - name: Get current version
+      if: steps.run_tests.outputs.tests_passed == 'true'
+      id: get_version
+      run: |
+        VERSION=$(python -c "import re; content=open('pyresolvers/lib/core/__version__.py').read(); print(re.search(r\"'([^']+)'\", content).group(1))")
+        echo "current_version=$VERSION" >> $GITHUB_OUTPUT
+
+        # Calculate new patch version
+        IFS='.' read -ra PARTS <<< "$VERSION"
+        MAJOR="${PARTS[0]}"
+        MINOR="${PARTS[1]}"
+        PATCH="${PARTS[2]}"
+        NEW_PATCH=$((PATCH + 1))
+        NEW_VERSION="$MAJOR.$MINOR.$NEW_PATCH"
+        echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+
+    - name: Bump version
+      if: steps.run_tests.outputs.tests_passed == 'true'
+      run: |
+        NEW_VERSION="${{ steps.get_version.outputs.new_version }}"
+        echo "__version__ = '$NEW_VERSION'" > pyresolvers/lib/core/__version__.py
+
+    - name: Create security update branch
+      if: steps.run_tests.outputs.tests_passed == 'true'
+      run: |
+        git config --local user.email "github-actions[bot]@users.noreply.github.com"
+        git config --local user.name "github-actions[bot]"
+
+        BRANCH_NAME="security/auto-update-$(date +%Y%m%d)"
+        git checkout -b $BRANCH_NAME
+
+        git add requirements.txt pyresolvers/lib/core/__version__.py
+
+        # Create detailed commit message
+        echo "Security update v${{ steps.get_version.outputs.new_version }}" > commit-msg.txt
+        echo "" >> commit-msg.txt
+        echo "Automated security dependency updates:" >> commit-msg.txt
+        echo "" >> commit-msg.txt
+        cat security-report.txt >> commit-msg.txt || echo "No detailed report available" >> commit-msg.txt
+        echo "" >> commit-msg.txt
+        echo "All tests passed after updates." >> commit-msg.txt
+
+        git commit -F commit-msg.txt
+        git push origin $BRANCH_NAME
+
+        echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV
+
+    - name: Create Pull Request
+      if: steps.run_tests.outputs.tests_passed == 'true'
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        BRANCH_NAME="security/auto-update-$(date +%Y%m%d)"
+        NEW_VERSION="${{ steps.get_version.outputs.new_version }}"
+
+        gh pr create \
+          --title "🔒 Security Update v$NEW_VERSION" \
+          --body "$(cat <<'EOF'
+## Automated Security Update
+
+This PR contains automated security dependency updates.
+
+### Changes
+- Updated vulnerable dependencies to secure versions
+- Bumped version to v$NEW_VERSION
+- All tests passed ✅
+
+### Security Report
+\`\`\`
+$(cat security-report.txt)
+\`\`\`
+
+### Test Results
+- ✅ Unit tests passed
+- ✅ CLI tests passed
+
+### Next Steps
+1. Review the dependency changes
+2. Merge this PR to trigger release workflow
+3. A new release will be automatically published to PyPI
+
+---
+🤖 This PR was automatically generated by the security workflow
+EOF
+)" \
+          --base master \
+          --head $BRANCH_NAME \
+          --label "security,automated"
+
+    - name: Auto-merge if tests pass
+      if: steps.run_tests.outputs.tests_passed == 'true'
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        BRANCH_NAME="security/auto-update-$(date +%Y%m%d)"
+
+        # Wait a moment for PR to be created
+        sleep 5
+
+        # Get PR number
+        PR_NUMBER=$(gh pr list --head $BRANCH_NAME --json number --jq '.[0].number')
+
+        if [ ! -z "$PR_NUMBER" ]; then
+          # Enable auto-merge
+          gh pr merge $PR_NUMBER --auto --squash --delete-branch
+
+          echo "✅ Auto-merge enabled for PR #$PR_NUMBER"
+          echo "PR will merge automatically once all checks pass"
+        fi
+
+    - name: No vulnerabilities found
+      if: steps.pip_audit.outputs.vulnerabilities_found != 'true' && steps.safety_check.outputs.safety_issues != 'true'
+      run: |
+        echo "✅ No security vulnerabilities found"
+        echo "All dependencies are up to date and secure"

pyresolvers/lib/core/__version__.py

@@ -1,2 +1,2 @@
-__version__ = '2.0.3'
+__version__ = '2.1.0'