chore(security): pin deps and actions, encrypt cache, harden CI#9
Merged
Conversation
- deps: add hashed lockfiles (requirements.lock, requirements-dev.lock); CI installs via --require-hashes then editable --no-deps (reproducible) - actions: SHA-pin checkout/setup-python/cache/upload-artifact - data-cache: AES-256 encrypt the tarball before force-push to the public data-cache branch; decrypt on restore; skip cleanly if key unset - monthly loop: cap runs per calendar month to stop runaway re-triggers - xml: parse arXiv/DBLP responses via defusedxml (entity-expansion safe) - tests: raise coverage floor 55 -> 68 (measured 70.6%) - add Dependabot (actions + pip) and CODEOWNERS gating .github and locks
uv --universal alone dropped tomli (mypy's python<3.11 dep); pin the resolution to py3.10 so --require-hashes finds every transitive requirement.
There was a problem hiding this comment.
Pull request overview
This PR hardens the project’s supply chain and CI by introducing hash-pinned Python lockfiles, SHA-pinning GitHub Actions, and encrypting the public data-cache branch artifact used by the monthly refresh workflow. It also improves XML parsing safety by routing arXiv/DBLP XML parsing through defusedxml.
Changes:
- Add
requirements.lockandrequirements-dev.lockwith hash-pinned, reproducible dependency sets and update CI to install with--require-hashes. - Harden XML parsing by using
defusedxmlfor arXiv/DBLP parsing and adddefusedxmlto project dependencies. - SHA-pin GitHub Actions, encrypt/decrypt the monthly cache tarball before pushing/restoring from
data-cache, and cap re-trigger runs per month.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| requirements.lock | Adds a hash-pinned runtime lockfile for reproducible installs. |
| requirements-dev.lock | Adds a hash-pinned dev/test lockfile for reproducible CI tooling and tests. |
| pyproject.toml | Adds defusedxml as a runtime dependency. |
| citeforge/clients/search_apis.py | Switches XML parsing to defusedxml for safer arXiv/DBLP handling. |
| .github/workflows/tests.yml | SHA-pins actions; installs from lockfiles with --require-hashes; raises coverage floor. |
| .github/workflows/monthly-refresh.yml | Encrypts/decrypts cached API responses for the public data-cache branch; adds monthly runaway cap. |
| .github/dependabot.yml | Enables Dependabot updates for GitHub Actions and pip dependencies. |
| .github/CODEOWNERS | Adds ownership rules for CI, lockfiles, and pyproject.toml. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
359
to
362
| try: | ||
| root = ElementTree.fromstring(xml) | ||
| root = safe_xml_fromstring(xml) | ||
| except XML_PARSE_ERRORS: | ||
| return [] |
Comment on lines
773
to
776
| try: | ||
| root = ElementTree.fromstring(xml) | ||
| root = safe_xml_fromstring(xml) | ||
| except XML_PARSE_ERRORS: | ||
| return [] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supply-chain and secrets hardening. No pipeline-logic changes.
Dependencies (reproducible + hash-pinned)
requirements.lock(runtime) andrequirements-dev.lock(dev), both--generate-hashes, universal.pip install --require-hashes -r <lock>thenpip install -e . --no-deps.defusedxmland route arXiv/DBLP XML parsing through it (entity-expansion safe).CI supply chain
actions/checkout,setup-python,cache,upload-artifact.--cov-fail-under55 -> 68 (measured 70.6% locally).data-cache exposure (public repo)
data-cachebranch. It now AES-256 encrypts the tarball before push and decrypts on restore, keyed by a newCACHE_ENCRYPTION_KEYsecret. If the key is unset it skips cache push/restore cleanly (fresh start), never exposing raw responses.Runaway guard
New
.github/dependabot.yml(github-actions + pip),.github/CODEOWNERSgating.github/, locks, and pyproject.Follow-up (separate, operational)
CACHE_ENCRYPTION_KEYsecret and delete the existing plaintextdata-cachebranch so no raw responses remain public (branch regenerates encrypted on next run).Local gates: ruff clean, mypy clean, 816 passed, coverage 70.6%.