Configure Renovate - autoclosed

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

Detected Package Files

• .github/workflows/cd.yml (github-actions)
• .github/workflows/ci.yml (github-actions)
• .github/workflows/stale.yml (github-actions)
• pyproject.toml (pep621)
• .python-version (pyenv)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from GitHub.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title

---

What to Expect

With your current configuration, Renovate will create 2 Pull Requests:

Update pypa/gh-action-pypi-publish action to v1.14.0

• Schedule: ["at any time"]
• Branch name: renovate/pypa-gh-action-pypi-publish-1.x
• Merge into: main
• Upgrade pypa/gh-action-pypi-publish to v1.14.0

Update python Docker tag to v3.14

• Schedule: ["at any time"]
• Branch name: renovate/python-3.x
• Merge into: main
• Upgrade python to 3.14

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (a9d6f81) to head (654a857).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #119   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines            7         7           
=========================================
  Hits             7         7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.01s
✅ COPYPASTE	jscpd	yes		no	no	1.4s
✅ JSON	jsonlint	1		0	0	0.1s
⚠️ JSON	prettier	1		1	0	0.37s
✅ JSON	v8r	1		0	0	2.94s
✅ MARKDOWN	markdownlint	17		0	0	0.64s
✅ MARKDOWN	markdown-table-formatter	18		0	0	0.23s
✅ REPOSITORY	checkov	yes		no	no	18.3s
✅ REPOSITORY	gitleaks	yes		no	no	0.39s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	39.36s
⚠️ REPOSITORY	kics	yes		1	no	1.85s
✅ REPOSITORY	secretlint	yes		no	no	1.13s
✅ REPOSITORY	syft	yes		no	no	1.99s
✅ REPOSITORY	trivy	yes		no	no	10.33s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.41s
✅ REPOSITORY	trufflehog	yes		no	no	3.6s
✅ YAML	prettier	10		0	0	0.51s
✅ YAML	v8r	10		0	0	8.87s
✅ YAML	yamllint	10		0	0	0.48s

Detailed Issues

⚠️ REPOSITORY / kics - 1 error

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 1
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/cd.yml:52

		051:       - name: Publish build artifacts to PyPI
		052:         uses: pypa/gh-action-pypi-publish@v1.13.0
		053: 



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 1
INFO: 0
TOTAL: 1

A new version 'v2.1.20' of KICS is available, please consider updating

⚠️ JSON / prettier - 1 error

Checking formatting...
[warn] renovate.json
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository