ci: add Dependabot config, update GitHub Actions workflows with pinned versions, add security policy, and bump project version to 1.1.0 (#23)

Author: imakecodes

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test (Python ${{ matrix.python-version }}, Django ${{ matrix.django-name }})
@@ -47,23 +50,23 @@ jobs:
             django-name: "5.2"
             django-constraint: "django>=5.2,<5.3"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "${{ matrix.python-version }}"
-      - uses: astral-sh/setup-uv@v5
+      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       - name: Run tests
         run: make test-django PYTHON=${{ matrix.python-version }} DJANGO_CONSTRAINT='${{ matrix.django-constraint }}'
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.13"
-      - uses: astral-sh/setup-uv@v5
+      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       - name: Sync dependencies
         run: make sync
       - name: Run lint
@@ -73,10 +76,10 @@ jobs:
     name: Package Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.13"
-      - uses: astral-sh/setup-uv@v5
+      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       - name: Build package
         run: make build

.github/workflows/dependency-review.yml

@@ -0,0 +1,18 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          fail-on-severity: moderate

.github/workflows/production.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 jobs:
   metadata:
     name: Release Metadata
@@ -13,7 +16,7 @@ jobs:
       package_version: ${{ steps.version.outputs.package_version }}
       git_tag: ${{ steps.version.outputs.git_tag }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Read package version
         id: version
         run: |
@@ -44,17 +47,17 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.13"
-      - uses: astral-sh/setup-uv@v5
+      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       - name: Sync dependencies
         run: make sync
       - name: Build package
         run: make build
       - name: Upload distribution artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dist-${{ needs.metadata.outputs.package_version }}
           path: dist/*
@@ -70,11 +73,11 @@ jobs:
     environment: pypi
     steps:
       - name: Download distribution artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: dist-${{ needs.metadata.outputs.package_version }}
           path: dist
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
         with:
           packages-dir: dist

.github/workflows/publish-to-test-pypi.yml

@@ -3,14 +3,17 @@ name: Publish 📦 to PyPI test server 🐍
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   metadata:
     name: Release Metadata
     runs-on: ubuntu-latest
     outputs:
       package_version: ${{ steps.version.outputs.package_version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Read package version
         id: version
         run: |
@@ -36,17 +39,17 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.13"
-      - uses: astral-sh/setup-uv@v5
+      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       - name: Sync dependencies
         run: make sync
       - name: Build package
         run: make build
       - name: Upload distribution artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dist-${{ needs.metadata.outputs.package_version }}
           path: dist/*
@@ -62,12 +65,12 @@ jobs:
     environment: testpypi
     steps:
       - name: Download distribution artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: dist-${{ needs.metadata.outputs.package_version }}
           path: dist
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
         with:
           packages-dir: dist
           repository-url: https://test.pypi.org/legacy/

SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+## Supported Release Process
+
+This project follows a tag-driven release process for production publishing:
+
+- CI runs on pull requests and pushes
+- production publishing runs only from tags matching `vX.Y.Z`
+- the release workflow validates that the Git tag matches `project.version`
+- production and TestPyPI publishing use Trusted Publishing with GitHub OIDC
+- release artifacts are built in CI and published from those exact artifacts
+
+## Reporting a Vulnerability
+
+Please do not open a public issue for suspected security vulnerabilities.
+
+Instead:
+
+1. Contact the maintainers privately.
+2. Include a clear description of the issue, affected versions, impact, and reproduction steps.
+3. If possible, include a proposed fix or mitigation.
+
+Until a dedicated private reporting channel is published for this repository, use the maintainer contact listed in `pyproject.toml`.
+
+## Supply Chain Controls
+
+This repository uses several controls intended to reduce supply-chain risk:
+
+- third-party GitHub Actions are pinned to immutable commit SHAs
+- pull requests run dependency review checks
+- publishing is gated by CI and uses Trusted Publishing
+- GitHub Actions dependency updates are handled through Dependabot
+
+These controls reduce risk, but they do not eliminate it. Review dependency changes and release workflow changes carefully.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "django-dbml"
-version = "1.0.1"
+version = "1.1.0"
 description = "Django extension aimed to generate DBML from installed models."
 readme = "README.md"
 requires-python = ">=3.11"