Preparations - v3.0.0 (#230)

Author: btschwertfeger

.github/workflows/_build.yaml

@@ -18,12 +18,23 @@ on:
         type: string
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -66,7 +77,7 @@ jobs:
         run: python -m build
 
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         # upload artifacts with the oldest supported version
         if: runner.os == 'linux' && inputs.python-version == '3.11'
         with:

.github/workflows/_build_doc.yaml

@@ -17,12 +17,18 @@ on:
         type: string
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
@@ -34,9 +40,10 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt update
-          sudo apt install -y pandoc
-          python -m pip install --upgrade pip
-          python -m pip install -r doc/requirements.txt
+          DEBIAN_FRONTEND=noninteractive sudo apt install -y pandoc
+          python -m pip install --user -r doc/requirements.txt
+          python -m pip install --user --upgrade pip
+          python -m pip install --user .
 
       - name: Build the documentation
-        run: cd doc && make html
+        run: make doc

.github/workflows/_codecov.yaml

@@ -33,7 +33,8 @@ on:
       FUTURES_SANDBOX_SECRET:
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   CodeCov:
@@ -44,6 +45,24 @@ jobs:
       PYTHON: ${{ inputs.python-version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codecov.io:443
+            api.kraken.com:443
+            cli.codecov.io:443
+            demo-futures.kraken.com:443
+            files.pythonhosted.org:443
+            futures.kraken.com:443
+            github.com:443
+            pypi.org:443
+            storage.googleapis.com:443
+            ws-auth.kraken.com:443
+            ws.kraken.com:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
@@ -56,7 +75,7 @@ jobs:
         run: python -m pip install --upgrade pip
 
       - name: Install package
-        run: python -m pip install ".[test]"
+        run: python -m pip install ".[dev,test]"
 
       - name: Generate coverage report
         env:
@@ -66,10 +85,16 @@ jobs:
           FUTURES_SECRET_KEY: ${{ secrets.FUTURES_SECRET_KEY }}
           FUTURES_SANDBOX_KEY: ${{ secrets.FUTURES_SANDBOX_KEY }}
           FUTURES_SANDBOX_SECRET: ${{ secrets.FUTURES_SANDBOX_SECRET }}
-        run: pytest -vv --cov --cov-report=xml:coverage.xml -m "not flaky" tests
+        run: pytest -vv --cov --cov-report=xml:coverage.xml tests
+
+      - name: Export coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage.xml

.github/workflows/_codeql.yaml

@@ -30,12 +30,25 @@ jobs:
     # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
+      - name: "Dependency Review"
+        if: github.event_name == 'pull_request'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           languages: python
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -48,7 +61,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -61,6 +74,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           category: "/language:python"

.github/workflows/_pre_commit.yaml

@@ -10,12 +10,24 @@ name: Pre-Commit
 on:
   workflow_call:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Pre-Commit:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            proxy.golang.org:443
+            pypi.org:443
+            registry.npmjs.org:443
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/_pypi_publish.yaml

@@ -20,23 +20,25 @@ jobs:
   publish-to-pypi:
     name: Publish Python distribution to PyPI
     runs-on: ubuntu-latest
-
     permissions:
       id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing
-
     environment:
       name: pypi
       url: https://pypi.org/p/python-cmethods
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: Download all the distributions
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: python-package-distributions
           path: dist/
 
       - name: Publish package distributions to PyPI (optional - testpypi)
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # release/v1
         with:
           password: ${{ secrets.API_TOKEN }}
           repository-url: https://upload.pypi.org/legacy/

.github/workflows/_pypi_test_publish.yaml

@@ -26,14 +26,19 @@ jobs:
       name: testpypi
       url: https://test.pypi.org/p/python-cmethods
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: Download all the distributions
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: python-package-distributions
           path: dist/
 
       - name: Publish package distributions to PyPI (optional - testpypi)
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # release/v1
         with:
           password: ${{ secrets.API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/

.github/workflows/_test_futures_private.yaml

@@ -30,13 +30,26 @@ on:
       FUTURES_SANDBOX_SECRET:
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Test-Futures:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}
     runs-on: ${{ inputs.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            demo-futures.kraken.com:443
+            files.pythonhosted.org:443
+            futures.kraken.com:443
+            github.com:443
+            pypi.org:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/_test_futures_public.yaml

@@ -20,13 +20,25 @@ on:
         type: string
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Test-Futures:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}
     runs-on: ${{ inputs.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            futures.kraken.com:443
+            github.com:443
+            pypi.org:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/_test_nft_private.yaml

@@ -22,13 +22,25 @@ on:
       SPOT_SECRET_KEY:
         required: true
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   Test-NFT:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}
     runs-on: ${{ inputs.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.kraken.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7