Add support for Python 3.13

.github/actions/common-setup/action.yml

@@ -5,12 +5,12 @@ inputs:
   python_version:
     description: "Python version to setup"
     required: true
-    default: "3.10"
+    default: "3.13"
 runs:
   using: "composite"
   steps:
     - name: Set up Python 🐍
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ inputs.python_version }}
 
@@ -27,19 +27,19 @@ runs:
       shell: bash
 
     - name: Install Poetry
-      uses: abatilo/actions-poetry@v2
+      uses: abatilo/actions-poetry@65c61eae400c65c9510a584af85138c1ae19bbc0 # v3.0.2
       with:
-        poetry-version: 1.7.1
+        poetry-version: 2.1.3
 
     # Cache your dependencies (i.e. all the stuff in your `pyproject.toml`). Note the cache
     # key: if you're using multiple Python versions, or multiple OSes, you'd need to include
     # them in the cache key. I'm not, so it can be simple and just depend on the poetry.lock.
     - name: cache deps
       id: cache-deps
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ~/.cache/pypoetry
-        key: pydeps-${{ inputs.python_version }}-$ {{ env.shellos }}-${{ hashFiles('**/poetry.lock') }}
+        key: pydeps-${{ inputs.python_version }}-${{ env.shellos }}-${{ hashFiles('**/poetry.lock') }}
 
     # Install dependencies. `--no-root` means "install all dependencies but not the project
     # itself", which is what you want to avoid caching _your_ code. The `if` statement

.github/dependabot.yml

@@ -0,0 +1,41 @@
+version: 2
+updates:
+- package-ecosystem: "pip"
+  directory: "/"
+  commit-message:
+    prefix: "pip"
+    prefix-development: "pip-dev"
+  labels: [ 'chore' ]
+  assignees:
+  - "Wenzel"
+  schedule:
+    interval: "cron"
+    cronjob: "0 7 * * *"
+    timezone: "Europe/Paris"
+  groups:
+    pip-dev-dependencies:
+      applies-to: version-updates
+      patterns:
+      - "*"
+      dependency-type: development
+    pip-prod-dependencies:
+      applies-to: version-updates
+      patterns:
+      - "*"
+      dependency-type: production
+- package-ecosystem: "github-actions"
+  directory: "/"
+  commit-message:
+    prefix: "actions"
+  labels: [ 'chore' ]
+  assignees:
+  - "Wenzel"
+  schedule:
+    interval: "cron"
+    cronjob: "0 7 * * *"
+    timezone: "Europe/Paris"
+  groups:
+    actions-dependencies:
+      applies-to: version-updates
+      patterns:
+      - "*"

.github/workflows/ci.yml

@@ -18,7 +18,7 @@ jobs:
         task: ["fmt", "lint"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: ./.github/actions/common-setup
 
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: ./.github/actions/common-setup
 
@@ -42,11 +42,11 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: ./.github/actions/common-setup
         with:
-          python_version: 3.11
+          python_version: 3.13
 
       - name: Add entrypoint to bypass issue with relative imports in PyInstaller
         run: powershell -Command 'Invoke-WebRequest https://gist.githubusercontent.com/Wenzel/e38d227d94f16e026b3aed03ea6a6661/raw/383ec56d62c58e444f6c5962ee6940a5c583d341/stub.py -OutFile stub.py'
@@ -56,7 +56,7 @@ jobs:
         shell: bash
 
       - name: Upload Windows release artefact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: checksec.exe
           path: dist/checksec.exe
@@ -77,7 +77,7 @@ jobs:
         shell: bash
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: true
 
@@ -97,14 +97,14 @@ jobs:
     # push on master and tag is 'v*'
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Get the version
         id: get_version
         run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
 
       - name: Create a Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -122,15 +122,15 @@ jobs:
       # the deploy action below depends on a checkout of the repo
       # otherwise it fails trying to remote the 'origin' remote
       # https://github.com/JamesIves/github-pages-deploy-action/issues/335
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # download artifacts
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: checksec.exe
 
       - name: Upload a Release Asset
-        uses: actions/[email protected]
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -144,7 +144,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: ./.github/actions/common-setup