conflict resolved

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.5.1
+current_version = 4.5.5
 
 [bumpversion:file:pyproject.toml]
 

.github/dependabot.yml

@@ -9,3 +9,9 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/codeql.yml

@@ -11,6 +11,9 @@
 #
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ "main" ]
@@ -42,11 +45,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
@@ -61,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -74,6 +77,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/python-publish.yml

@@ -3,12 +3,38 @@ on:
   push:
     tags:
       - "v*.*.*"
+
+permissions:
+  contents: read
+
 jobs:
-  build:
+  publish:
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
     steps:
-      - uses: actions/checkout@v2
-      - name: Build and publish to pypi
-        uses: JRubics/[email protected]
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
         with:
-          pypi_token: ${{ secrets.PYPI_TOKEN }}
+          python-version: '3.8' # use the oldest supported Python version for publishing
+
+      - name: Build Package
+        run: | 
+          pip install poetry
+          poetry install
+          poetry build
+
+      - name: Publish package distributions to Test-PyPI
+        uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598 # release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598 # release/v1
+
+
+

.github/workflows/python-test.yml

@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
@@ -19,9 +22,9 @@ jobs:
         python-version: ["3.8", "3.9", "3.10", "3.11"]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies

.readthedocs.yml

@@ -1,5 +1,14 @@
+# Required
+version: 2
+
+build:
+  os: "ubuntu-20.04"
+  tools:
+    python: "3.8"
+
 python:
-    version: 3
-    pip_install: true
-    extra_requirements:
+  install:
+    - method: pip
+      path: .
+      extra_requirements:
         - docs

CHANGELOG.rst

@@ -1,6 +1,13 @@
 Changelog
 =============
 
+**4.5.5**
+  - Update Flask to 2.3.2: [CVE-2023-30861](https://github.com/advisories/GHSA-m2qf-hxjv-5gpq)
+  - Update pytest from 7.2.1 to 7.3.1 
+  - Use trusted provider flow to publish to pypi 
+
+> Releases 4.5.1-4 were used to test the new GitHub workflow and are only pushed to Test-PYPI
+
 **4.5**
   - Drop Python 3.7 support
   - Update dependencies

README.rst

@@ -1,4 +1,4 @@
-|Build Status| |Coverage Status| |Known Vulnerabilities| |PYUP|
+|Build Status| |Coverage Status| |Known Vulnerabilities| |PYUP| |OpenSSF Best Practices|
 
 Open Broker API
 ===============
@@ -163,8 +163,6 @@ So let us check how you can contribute:
     - Always add tests for your feature, if you are not familiar with writing tests, ask for help.
     - Hint: To update your fork with the newest changes, follow `these instructions <https://stackoverflow.com/a/7244456/2947505>`_.
 
-[ ~ Dependencies scanned by PyUp.io ~ ]
-
 .. _Github Issues: https://github.com/eruvanos/openbrokerapi/issues
 
 .. |Build Status| image:: https://github.com/eruvanos/openbrokerapi/actions/workflows/python-test.yml/badge.svg
@@ -175,3 +173,5 @@ So let us check how you can contribute:
    :target: https://github.com/eruvanos/openbrokerapi/actions/workflows/codeql.yml
 .. |PYUP| image:: https://pyup.io/repos/github/eruvanos/openbrokerapi/shield.svg
      :target: https://pyup.io/repos/github/eruvanos/openbrokerapi/
+.. |OpenSSF Best Practices| image:: https://bestpractices.coreinfrastructure.org/projects/7220/badge
+     :target: https://bestpractices.coreinfrastructure.org/projects/7220/badge)](https://bestpractices.coreinfrastructure.org/projects/7220

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| >=4.5.x | :white_check_mark: |
+| <4.5    | :x:                |
+
+## Reporting a Vulnerability
+
+In case of any vulnerability please inform the [project owner maintainer](mailto:[email protected])
+We will respond with a couple of days.

doc/conf.py

@@ -60,9 +60,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "4.5.1"
+version = "4.5.5"
 # The full version, including alpha/beta/rc tags.
-release = "4.5.1"
+release = "4.5.5"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.