Tooling Updates (#1446)

* rename test job to pytest

* re-order matrix for easier readabiity of outputs

* expose `uv pip install` `--resolution` flag to pytest job matrix

* Bump ruff from v0.11.7  to v0.11.9

* change circleci build workflow to docs-build

* Only output coverage report to conosle when pytest passes (to avoid having to scroll past it to see failures and errors)

* move sshtunnel to requirements

* alphabetize requirements

* Bump ruff from 0.11.9 to 0.11.13

* update format / harden workflows (not python check)

* update python checks workflow

* fix matrix installing python 3.1

* Bump ruff from 0.11.13 to 0.12.2

* Update dependency-review.yml

* hyphenate requirements.txt

* Bump ruff from 0.12.2 to 0.12.9

* Bump bandit from 1.8.3 to 1.8.6

* Bump pre-commit from 4.2 to 4.3

* Bump coverage from 7.9.2 to 7.10.3

* Bump pytest-cov from 6.1.1 to 6.2.1

* Bump pytest-datadir from 1.7.2 to 1.8.0

* Bump testfixtures from 8.3.0 to 9.1.0

* Bump Sphinx from 8.1.3 to 8.2.3

* Allow testfixtures 8.3.0 for python < 3.11

* use sphinx 7 for python < 3.11

* Update coverage.yml

* Bump ruff from 0.12.9 to 0.13.0

* avoid over-broad assert raises in test_van

---------

Co-authored-by: Wil T <wil.t.me@pm.me>

Author: bmos

.github/workflows/coverage.yml

@@ -31,8 +31,12 @@ jobs:
         steps:
             # DO NOT run actions/checkout here, for security reasons
             # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-            - name: Post comment
-              uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc  # v3.37
+            - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
+              with:
+                disable-sudo: false
+                egress-policy: audit
+
+            - uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc  # v3.35
               with:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}
+                  GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}

.github/workflows/dependency-review.yml

@@ -1,28 +1,27 @@
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request,
-# surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required,
-# PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
 name: Dependency review
 
 on: [pull_request]
 
-permissions:
-    contents: read
+permissions: read-all
 
 jobs:
-    dependency-review:
-        runs-on: ubuntu-latest
-        steps:
-            - name: Harden Runner
-              uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-              with:
-                  egress-policy: audit
+   dependency-review:
+    name: Dependency review
 
-            - name: 'Checkout Repository'
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-            - name: 'Dependency Review'
-              uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+              api.github.com:443
+              api.securityscorecards.dev:443
+              github.com:443
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b
+        with:
+          allow-ghsas: GHSA-pq67-6m6q-mj2v  # urllib3