fix: bump cryptography to 46.0.5 and expand CI security coverage

- Bump cryptography 44.0.1 → 46.0.5 (CVE-2026-26007)
- Bump Markdown 3.4.4 → 3.8.1 (CVE-2025-69534)
- Add Python 3.13 to quality and security CI matrices
- Add bandit static analysis to security workflow and tox
- Run security checks on pull_request events (not just push)
- Fix SonarQube condition: only run on push or non-fork pull_request
- Remove untrusted fork code execution from sonar_fork_pr job
- Prevent duplicate CI runs via pull_request_target
- Fix stale bot messages and align bandit args with pre-commit

Author: deacon-mp

.github/workflows/quality.yml

@@ -7,7 +7,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
   pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review]  # added for fork PRs
+    types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch:
 
 permissions:
@@ -16,6 +16,7 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request_target'
     permissions:
       contents: read
       pull-requests: read
@@ -29,20 +30,22 @@ jobs:
             toxenv: py311,style,coverage-ci
           - python-version: 3.12
             toxenv: py312,style,coverage-ci
+          - python-version: 3.13
+            toxenv: py313,style,coverage-ci
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-          fetch-depth: 0  # shallow clones should be disabled for analysis
+          fetch-depth: 0
 
       - name: Setup python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version: '20'
 
@@ -58,42 +61,35 @@ jobs:
           TOXENV: ${{ matrix.toxenv }}
         run: tox
 
-      # --- Sonar scan for pushes and same-repo PRs only ---
       - name: SonarQube Scan
-        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) }}
         uses: SonarSource/sonarqube-scan-action@v6.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # needed for PR info
-          SONAR_TOKEN:  ${{ secrets.SONAR_TOKEN }}
-        # Uncomment if your sonar-project.properties is in a subfolder:
-        # with:
-        #   args: |
-        #     -Dsonar.projectBaseDir=caldera
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  # --- Sonar scan for forked PRs (runs safely with pull_request_target) ---
   sonar_fork_pr:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork }}
     permissions:
       contents: read
-      pull-requests: write   # remove if you don't want PR comments
+      pull-requests: write
     steps:
       - name: Checkout base repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 0
-  
+
       - name: Checkout PR HEAD (fork)
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           path: pr
           fetch-depth: 0
           submodules: recursive
-  
-      # Detect where the sonar-project.properties actually is (pr/ or pr/caldera)
+
       - name: Detect Sonar base dir
         id: detect
         run: |
@@ -103,21 +99,14 @@ jobs:
           elif [ -f pr/sonar-project.properties ]; then
             echo "base=pr" >> "$GITHUB_OUTPUT"
           else
-            echo "No sonar-project.properties found under pr/ or pr/caldera"
-            echo "base=pr" >> "$GITHUB_OUTPUT"   # fallback to repo root
+            echo "base=pr" >> "$GITHUB_OUTPUT"
           fi
-          echo "Using base dir: $(grep '^base=' "$GITHUB_OUTPUT" | cut -d= -f2)"
-          echo "Has SONAR_TOKEN? $([ -n "${SONAR_TOKEN:-}" ] && echo yes || echo no)"
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-  
-      # If your project key/org are NOT in the properties file, uncomment and set below
+
       - name: SonarQube Scan (fork PR)
         uses: SonarSource/sonarqube-scan-action@v6.0.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # SONAR_HOST_URL: https://sonarcloud.io  # set if you’re self-hosted or non-default
         with:
           projectBaseDir: ${{ steps.detect.outputs.base }}
           args: |

.github/workflows/security.yml

@@ -1,6 +1,9 @@
 name: Security Checks
 
-on: [push]
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
 
 permissions:
   contents: read
@@ -12,26 +15,24 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # - python-version: 3.9
-          #   toxenv: safety
-          - python-version: 3.10.9
-            toxenv: safety
-          - python-version: 3.11
+          - python-version: 3.13
             toxenv: safety
+          - python-version: 3.13
+            toxenv: bandit
 
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
       - name: Setup python
-        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
           pip install --upgrade virtualenv
           pip install tox
-      - name: Run tests
+      - name: Run security checks
         env:
           TOXENV: ${{ matrix.toxenv }}
         run: tox

.github/workflows/stale.yml

@@ -22,8 +22,8 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-label: 'no-issue-activity'
         stale-pr-label: 'no-pr-activity'
-        stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+        stale-pr-message: 'This pull request is stale because it has had no activity for 60 days. Remove the stale label or comment or this will be closed in 60 days'
+        stale-issue-message: 'This issue is stale because it has had no activity for 60 days. Remove the stale label or comment or this will be closed in 60 days'
         exempt-issue-labels: 'feature,keep'
         days-before-stale: 60
         days-before-close: 60

requirements.txt

@@ -5,7 +5,7 @@ aiohttp-security==0.4.0
 aiohttp-apispec==3.0.0b2
 jinja2==3.1.6
 pyyaml==6.0.1
-cryptography==44.0.1
+cryptography==46.0.5
 websockets==15.0
 Sphinx==7.1.2
 sphinx_rtd_theme==1.3.0
@@ -19,7 +19,7 @@ reportlab==4.0.4  # debrief
 rich==13.7.0
 lxml==6.0.2  # debrief
 svglib==1.5.1  # debrief
-Markdown==3.4.4  # training
+Markdown==3.8.1  # training
 dnspython==2.6.1
 asyncssh==2.20.0
 aioftp~=0.20.0

tox.ini

@@ -6,7 +6,7 @@
 [tox]
 skipsdist = True
 envlist =
-    py{310,311,312}
+    py{310,311,312,313}
     style
     coverage
     safety
@@ -64,3 +64,10 @@ whitelist_externals=find
 commands =
     safety check -r requirements.txt --ignore 39642 --ignore 39659
     safety check -r requirements-dev.txt
+
+[testenv:bandit]
+deps =
+    bandit
+skip_install = true
+commands =
+    bandit -r app -ll --exclude=tests/ --skip=B303