fix issues after changing

Author: bradjin8

.github/workflows/tests.yml

@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
@@ -53,7 +55,8 @@ jobs:
           PY
 
       - name: Install pip-tools
-        run: python -m pip install pip-tools
+        # Pin matches update-lock.yml so lock verification uses the same resolver.
+        run: python -m pip install 'pip-tools==7.5.3'
 
       - name: Verify requirements-lock.txt is up to date
         # Same pip-compile flags as update-lock.yml, without --upgrade.

.github/workflows/update-lock.yml

@@ -18,14 +18,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: "3.12"
 
       - name: Install pip-tools
-        run: python -m pip install pip-tools
+        # Pin matches tests.yml lockfile job so lock generation and verification agree.
+        run: python -m pip install 'pip-tools==7.5.3'
 
       - name: Regenerate lock file
         run: |
@@ -43,7 +46,7 @@ jobs:
           cat > /tmp/lock-header <<'EOF'
           # Pinned lock file — generated by pip-compile (pip-tools).
           # Install: pip install -r requirements-lock.txt
-          # Update:  pip-compile requirements.txt --output-file requirements-lock.txt --no-header --annotation-style=line --allow-unsafe
+          # Update:  pip-compile requirements.txt --output-file requirements-lock.txt --no-header --annotation-style=line --allow-unsafe --upgrade
           # Run periodically (e.g. via the "Update dependency lock file" CI workflow) to pick up
           # upstream patch / security releases within the bounded ranges in requirements.txt.
           EOF

README.md

@@ -71,7 +71,9 @@ pip install -r requirements-lock.txt
 
 Runtime version **bounds** live in `pyproject.toml` under `[project.dependencies]` (`flask`, `fpdf2`, `pillow`, etc.). `requirements.txt` mirrors those specifiers for backward compatibility — keep them identical when you change deps.
 
-**CI** installs from `requirements-lock.txt`, which pins exact versions (including transitive packages). Regenerate the lock after editing bounds:
+**CI** installs from `requirements-lock.txt`, which pins exact versions (including transitive packages). The lock is produced on **Linux** (same as CI and `update-lock.yml`); `pip-compile` on Windows may add platform-only pins such as `colorama` — do not commit those.
+
+Regenerate after editing bounds (prefer **Actions → Update dependency lock file → Run workflow**, or on Linux / WSL):
 
 ```bash
 pip install pip-tools

requirements-lock.txt

@@ -1,11 +1,12 @@
 # Pinned lock file — generated by pip-compile (pip-tools).
 # Install: pip install -r requirements-lock.txt
-# Update:  pip-compile requirements.txt --output-file requirements-lock.txt --no-header --annotation-style=line --allow-unsafe
+# Update:  pip-compile requirements.txt --output-file requirements-lock.txt --no-header --annotation-style=line --allow-unsafe --upgrade
 # Run periodically (e.g. via the "Update dependency lock file" CI workflow) to pick up
 # upstream patch / security releases within the bounded ranges in requirements.txt.
+# Lock is generated on Linux (CI / update-lock.yml). Windows-only transitives (e.g.
+# colorama via click) are omitted — pip still installs them on Windows when needed.
 blinker==1.9.0            # via flask
 click==8.4.0              # via flask
-colorama==0.4.6           # via click
 defusedxml==0.7.1         # via fpdf2
 flask==3.1.3              # via -r requirements.txt
 fonttools==4.63.0         # via fpdf2