chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#2
Merged
plusultra-ops merged 1 commit intoMay 27, 2026
Merged
Conversation
dependabot
Bot
added
dependencies
plusultra-ops
added a commit
that referenced
this pull request
May 25, 2026
* chore: remove operator-internal kill-gate file * chore: remove operator-internal landing-copy draft * fix(pyproject): correct project URLs to plusultra-tools; drop unused pydantic dep - Homepage/Issues URLs were pointing at github.com/plusultra/... (404, wrong org slug). Replaced with github.com/plusultra-tools/... per red-team blocker A. - pydantic>=2.0 was declared but never imported anywhere in src/. Removed to avoid forcing a ~5 MB transitive dep for a feature that does not exist (red-team major B/A). * docs(readme): honest v0.1-scaffold framing; strike overclaims Per red-team blockers (Persona C/E #1, Persona A #2): - Replace 'zero-config validator' pitch with explicit 'scaffold, not validator' status block at the top. Almost any resource returns valid=true in v0.1; this is documented expectation. - Strike 'Hosted CI-as-a-service €19-49/mo' pricing block (no DPA, no Stripe, no legal entity; premature commercial claim). - Strike r/HL7 distribution claim (subreddit does not exist). - Add badges (CI, Python, License, Status). - Add explicit 'Use HAPI/Firely if you need real validation today' callout. - Add HL7/FHIR trademark attribution. - Drop pricing entirely until a design partner exists. * fix(igs): fail-closed on placeholder packs in verify_pack_integrity Per red-team Persona D blocker: v0.1.0 returned True for any bytes when the manifest entry was marked placeholder=true. In v0.2 (when real packs ship) this would be a supply-chain hole: an attacker re-flagging a tampered pack as placeholder bypasses verification silently. Fix: placeholder entries have NO integrity claim by construction and now always return False. Callers that want to accept a placeholder must inspect get_ig(name).placeholder explicitly; verify_pack_integrity will never assert 'verified' for them. Adds 3 regression tests covering unknown IG, default fail-closed, and opted-in path. * ci: SHA-pin GitHub Actions; add Dependabot for actions+pip Per red-team Persona D major: - Pin actions/checkout@v4 to commit 34e114876b0b... (full SHA) - Pin actions/setup-python@v5 to commit a26af69be951... (full SHA) - Tag-based pinning lets a compromise of the action publisher's release tag propagate to all downstream pipelines; SHA-pinning prevents that. - Trailing comment preserves the human-readable version for review. - Add dependabot.yml so action+pip pins are kept fresh with reviewed PRs (weekly schedule, cap 5 open PRs per ecosystem). * docs: add CONTRIBUTING.md with PHI-redaction guidance; align CHANGELOG date Per red-team Persona A major + Persona C blocker: - CONTRIBUTING.md was missing. New file covers dev install, test command, PHI redaction rules for bug reports, PR checklist (no real PHI, manifest sha256 either real or placeholder). - CHANGELOG was dated 2026-05-14 (workspace build date) but the repo pushed 2026-05-15. Align to actual publish date so wheel metadata matches. - Document the fail-closed change + Actions SHA-pin under Security. * fix(cli): cap input resource size + reject non-object top-level JSON Per red-team Persona D major: - Without an upper bound on resource size, a 1 GB JSON file will OOM the process. Reject anything over 100 MB by default (FHIR resources in practice are <1 MB; this is a generous Bundle ceiling). Tunable via FHIRV_MAX_RESOURCE_BYTES env var. - Reject top-level JSON arrays / scalars early (must be a resource object). Previously these would crash in validator with unhelpful tracebacks. * docs(security): CRA-aligned timelines, placeholder-pack reality, PHI handling Per red-team Persona C minor + D major + C blocker: - Note CRA Annex VII alignment from late 2027 (24h notification for actively exploited vulns); v0.1 stays at best-effort 72h pre-CRA. - Reflect the fail-closed change: placeholder packs have no integrity claim by construction. Real verification arrives with real packs in v0.2. - Mention the 100 MB input cap as partial DoS mitigation. - Forbid PHI in issues; point to CONTRIBUTING for redaction guidance. * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: plusultra-ops <plusultra.dev@proton.me> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-python-6.2.0
branch
from
5678193 to
13ddabb
Compare
dependabot
Bot
deleted the
dependabot/github_actions/actions/setup-python-6.2.0
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-python from 5.6.0 to 6.2.0.
Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
a309ff8Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)bfe8cc5Upgrade@actionsdependencies to Node 24 compatible versions (#1259)4f41a90Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)83679a8Bump@types/nodefrom 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...bfc4944Bump prettier from 3.5.3 to 3.6.2 (#1234)97aeb3eBump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)443da59Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...cfd55cagraalpy: add graalpy early-access and windows builds (#880)bba65e5Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)18566f8Improve wording and "fix example" (remove 3.13) on testing against pre-releas...