Refresh uv.lock for CVEs and add explicit CI permissions (closes #25) (#26)

* chore(deps): uv sync --upgrade to clear known CVEs

Refreshes uv.lock to current dependency versions (reflex 0.8.20 -> 0.9.1,
authlib 1.5.2 -> 1.6.11, requests, urllib3, cryptography, etc.) to pick up
security fixes flagged in #25.

Authlib 1.6 tightened the type signature on `jwt.decode`; pass a `KeySet`
built via `JsonWebKey.import_key_set` instead of a raw `{"keys": [...]}`
dict.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: declare explicit GITHUB_TOKEN permissions on workflows

Addresses the second half of #25: GitHub flags workflows that rely on
default token permissions. Adds minimal `permissions:` blocks — top-level
`contents: read` for read-only CI, plus `pull-requests: read/write` on the
jobs that fetch PR info or post status comments.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: TimChild

.github/workflows/_reusable-ci.yml

@@ -26,6 +26,8 @@ on:
 jobs:
   ci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-versions: ["3.11", "3.12", "3.13"]

.github/workflows/ci-forks.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   basic-checks:
     uses: ./.github/workflows/_reusable-ci.yml

.github/workflows/ci.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: ./.github/workflows/_reusable-ci.yml

.github/workflows/full-ci-comment.yml

@@ -4,13 +4,18 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   trigger-check:
     if: |
       github.event.issue.pull_request &&
       contains(github.event.comment.body, '/run-full-ci') &&
       github.event.comment.author_association == 'OWNER'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       pr_head_sha: ${{ steps.pr.outputs.pr_head_sha }}
       pr_head_repo: ${{ steps.pr.outputs.pr_head_repo }}
@@ -42,6 +47,8 @@ jobs:
   comment-result:
     needs: [trigger-check, full-ci]
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     # if the trigger-check job ran (i.e., the comment was valid)
     if: needs.trigger-check.result != 'skipped'
     steps:

.github/workflows/full-ci-manual.yml

@@ -8,9 +8,14 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   get-pr-info:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       head_sha: ${{ steps.pr-info.outputs.head_sha }}
       head_repo: ${{ steps.pr-info.outputs.head_repo }}
@@ -42,6 +47,8 @@ jobs:
     needs: [get-pr-info, full-ci]
     if: always()
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Comment on PR
         uses: actions/github-script@v7

custom_components/reflex_clerk_api/clerk_provider.py

@@ -9,7 +9,7 @@
 import authlib.jose.errors as jose_errors
 import clerk_backend_api
 import reflex as rx
-from authlib.jose import JWTClaims, jwt
+from authlib.jose import JsonWebKey, JWTClaims, jwt
 from reflex.event import EventCallback, EventType, IndividualEventType
 from reflex.utils.exceptions import ImmutableStateError
 
@@ -127,9 +127,10 @@ async def set_clerk_session(self, token: str) -> EventType:
         """
         logging.debug("Setting Clerk session")
         jwks = await self._get_jwk_keys()
+        key_set = JsonWebKey.import_key_set({"keys": jwks})
         try:
             decoded: JWTClaims = jwt.decode(
-                token, {"keys": jwks}, claims_options=self._claims_options
+                token, key_set, claims_options=self._claims_options
             )
         except jose_errors.DecodeError as e:
             # E.g. DecodeError -- Something went wrong just getting the JWT