frequenz-floss · llucax · Mar 30, 2026 · Mar 18, 2026 · Mar 30, 2026 · Mar 26, 2026
@@ -20,7 +20,7 @@ jobs:
         # only use hashes to pick the action to execute (instead of tags or branches).
         # For more details read:
         # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b  # 6.0.1
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b  # v6.0.1
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           dot: true
@@ -2,12 +2,10 @@
 
 ## Summary
 
-<!-- Here goes a general summary of what this release is about -->
+This release improves workflows security, adds a black migration workflow, and fixes failed migrations from version v0.16.0.
 
 ## Upgrading
 
-<!-- Here goes notes on how to upgrade from previous versions, including deprecations and what they should be replaced with -->
-
 ### Cookiecutter template
 
 All upgrading should be done via the migration script or regenerating the templates.
@@ -18,20 +16,16 @@ curl -sSLf https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config
 
 But you might still need to adapt your code:
 
-<!-- Here upgrade steps for cookiecutter specifically -->
-
 ## New Features
 
-<!-- Here goes the main new features and examples or instructions on how to use them -->
-
 ### Cookiecutter template
 
 - Add a `black-migration.yaml` workflow that automatically reformats code when Dependabot upgrades `black`.
 
 ## Bug Fixes
 
-<!-- Here goes notable bug fixes that are worth a special mention or explanation -->
-
 ### Cookiecutter template
 
 - Fix migration of CI workflow matrices that used `arch`/`os` dimensions with values different from the default template. The v0.16.0 migration relied on exact string matching, so projects with customized matrix items (for example `arch: [amd64]`, `os: [ubuntu-24.04]`) could be left only partially migrated. The new migration step rebuilds the `platform` entries from the existing `arch`/`os` values and only rewrites `runs-on` when it still points to the old matrix keys.
+- Improve workflows security: tighten permissions, avoid potential shell injection, run Python in isolated mode, pin all dependencies using the SHA hash.
+- The unused cross-arch QEMU-based testing infrastructure has been removed. The `.github/containers/nox-cross-arch/` and `.github/containers/test-installation/` directories, as well as the "Cross-Arch Testing" section in `CONTRIBUTING.md`.
@@ -109,7 +109,7 @@
       - name: Migrate
         uses: frequenz-floss/gh-action-dependabot-migrate@"""
     # Broken just to avoid flake8 maximum line length check
-    """b389f72f9282346920150a67495efbae450ac07b  # v1.1.0"
+    """b389f72f9282346920150a67495efbae450ac07b  # v1.1.0
         with:
           migration-script: |
             import os

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0",
+  "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0",
 {%- if cookiecutter.type == "api" %}
   # We need to pin the protobuf, grpcio and  grpcio-tools dependencies to make
   # sure the code is generated using the minimum supported versions, as older
@@ -104,7 +104,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0",
+  "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -117,7 +117,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0",
+  "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -127,7 +127,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
 {%- if cookiecutter.type != "api" %}
   "pytest-mock == 3.14.0",
   "pytest-asyncio == 1.1.0",

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[actor] == 0.16.0",
+  "frequenz-repo-config[actor] == 0.17.0",
 ]
 build-backend = "setuptools.build_meta"
 
@@ -61,7 +61,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[actor] == 0.16.0",
+  "frequenz-repo-config[actor] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -71,7 +71,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[actor] == 0.16.0",
+  "frequenz-repo-config[actor] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -81,7 +81,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
   "pytest-mock == 3.14.0",
   "pytest-asyncio == 1.1.0",
   "async-solipsism == 0.8",

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[api] == 0.16.0",
+  "frequenz-repo-config[api] == 0.17.0",
   # We need to pin the protobuf, grpcio and  grpcio-tools dependencies to make
   # sure the code is generated using the minimum supported versions, as older
   # versions can't work with code that was generated with newer versions.
@@ -72,7 +72,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[api] == 0.16.0",
+  "frequenz-repo-config[api] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -83,7 +83,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[api] == 0.16.0",
+  "frequenz-repo-config[api] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -93,7 +93,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
 ]
 dev = [
   "frequenz-api-test[dev-mkdocs,dev-flake8,dev-formatting,dev-mkdocs,dev-mypy,dev-noxfile,dev-pylint,dev-pytest]",

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[app] == 0.16.0",
+  "frequenz-repo-config[app] == 0.17.0",
 ]
 build-backend = "setuptools.build_meta"
 
@@ -60,7 +60,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[app] == 0.16.0",
+  "frequenz-repo-config[app] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -70,7 +70,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[app] == 0.16.0",
+  "frequenz-repo-config[app] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -80,7 +80,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
   "pytest-mock == 3.14.0",
   "pytest-asyncio == 1.1.0",
   "async-solipsism == 0.8",

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[lib] == 0.16.0",
+  "frequenz-repo-config[lib] == 0.17.0",
 ]
 build-backend = "setuptools.build_meta"
 
@@ -57,7 +57,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[lib] == 0.16.0",
+  "frequenz-repo-config[lib] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -67,7 +67,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[lib] == 0.16.0",
+  "frequenz-repo-config[lib] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -77,7 +77,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
   "pytest-mock == 3.14.0",
   "pytest-asyncio == 1.1.0",
   "async-solipsism == 0.8",

@@ -5,7 +5,7 @@
 requires = [
   "setuptools == 80.9.0",
   "setuptools_scm[toml] == 8.1.0",
-  "frequenz-repo-config[model] == 0.16.0",
+  "frequenz-repo-config[model] == 0.17.0",
 ]
 build-backend = "setuptools.build_meta"
 
@@ -61,7 +61,7 @@ dev-mkdocs = [
   "mkdocs-material == 9.6.18",
   "mkdocstrings[python] == 1.0.0",
   "mkdocstrings-python == 2.0.1",
-  "frequenz-repo-config[model] == 0.16.0",
+  "frequenz-repo-config[model] == 0.17.0",
 ]
 dev-mypy = [
   "mypy == 1.9.0",
@@ -71,7 +71,7 @@ dev-mypy = [
 ]
 dev-noxfile = [
   "nox == 2025.5.1",
-  "frequenz-repo-config[model] == 0.16.0",
+  "frequenz-repo-config[model] == 0.17.0",
 ]
 dev-pylint = [
   # dev-pytest already defines a dependency to pylint because of the examples
@@ -81,7 +81,7 @@ dev-pylint = [
 dev-pytest = [
   "pytest == 8.4.1",
   "pylint == 3.3.8",       # We need this to check for the examples
-  "frequenz-repo-config[extra-lint-examples] == 0.16.0",
+  "frequenz-repo-config[extra-lint-examples] == 0.17.0",
   "pytest-mock == 3.14.0",
   "pytest-asyncio == 1.1.0",
   "async-solipsism == 0.8",