Hotfix/security update (#89)

Signed-off-by: Raoul Linnenbank <58594297+rflinnenbank@users.noreply.github.com>

Author: rflinnenbank

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+/*
+ * SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
+* @alliander-opensource/wpla-alliander
+
+# The following rule assigns ownership of the CODEOWNERS file itself.
+# Note: The last matching rule takes precedence according to GitHub documentation.
+.github/CODEOWNERS @rflinnenbank

.github/ISSUE_TEMPLATE/bug_report.md

@@ -6,6 +6,11 @@ labels: ''
 assignees: ''
 ---
 
+<!--
+  SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+  SPDX-License-Identifier: MPL-2.0
+-->
+
 ## **Describe the Bug**
 
 Provide a clear and concise description of the issue.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -6,6 +6,11 @@ labels: ''
 assignees: ''
 ---
 
+<!--
+  SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+  SPDX-License-Identifier: MPL-2.0
+-->
+
 ## **Is Your Feature Request Related to a Problem? Please Describe**
 
 Provide a clear and concise description of the problem. For example: "I'm frustrated when [...]"

.github/dependabot.yaml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:

.github/workflows/allowed-pr-sources-dev-release.yaml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 name: Check if PR source branch is allowed for development or release branches
 
 on:

.github/workflows/allowed-pr-sources-main.yaml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 name: Check if PR source branch is allowed for main branch
 
 on:

.github/workflows/fuzzing.yml

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
+name: Fuzzing
+
+on:
+  push:
+    branches:
+      - main
+      - development
+      - 'release/**'
+  pull_request:
+    branches:
+      - main
+      - development
+      - 'release/**'
+
+permissions:
+  contents: read
+
+jobs:
+  fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.11'
+      - name: Install Atheris
+        run: pip install atheris
+      - name: Run Python fuzz tests
+        run: |
+          python3 -m atheris tests/fuzz/test_fuzz_example.py || true

.github/workflows/generate-docs.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 name: Update Documentation
 on:
   workflow_dispatch:
@@ -12,15 +15,15 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
-      - uses: actions/setup-python@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
         id: deployment

.github/workflows/openssf-scorecard.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
@@ -35,12 +38,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -65,7 +68,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
@@ -74,6 +77,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
         with:
           sarif_file: results.sarif

.github/workflows/pr-quality-gate.yaml.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025-2026 Contributors to the MeteoForge project
+# SPDX-License-Identifier: MPL-2.0
+
 name: "PR Quality Gate: rc & main"
 
 on:
@@ -19,13 +22,13 @@ jobs:
     if: ${{ !github.event.pull_request.draft }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # NOTE: point "uses:" to the DIRECTORY that contains action.yaml
       # If your composite is at ./pre-commit/action.yaml, use "./pre-commit"
       - name: Run pre-commit composite
         uses: ./.github/workflows/pre-commit
         with:
-          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          python-version: ${{ vars.MAIN_PYTHON_VERSION }}
 
   pytest:
     permissions:
@@ -36,9 +39,9 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+        python-version: ${{ fromJSON(vars.SUPPORTED_PYTHON_VERSIONS) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Run pytest composite
         uses: ./.github/workflows/pytest
         with:
@@ -54,9 +57,9 @@ jobs:
     continue-on-error: true
     strategy:
       matrix:
-        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+        python-version: ${{ fromJSON(vars.SUPPORTED_PYTHON_VERSIONS) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Run pytest composite
         uses: ./.github/workflows/pytest
         with:
@@ -71,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ pytest ]        # starts only after pytest completes
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Run SonarCloud composite
         uses: ./.github/workflows/sonar
         with: