jenstroeger · jenstroeger · Apr 5, 2025 · Apr 5, 2025 · Apr 5, 2025 · Apr 5, 2025
@@ -13,7 +13,7 @@ updates:
     prefix-development: chore
     include: scope
   open-pull-requests-limit: 13
-  target-branch: staging
+  target-branch: main
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:
@@ -28,7 +28,7 @@ updates:
     prefix-development: chore
     include: scope
   open-pull-requests-limit: 13
-  target-branch: staging
+  target-branch: main
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:

@@ -55,7 +55,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -66,7 +66,7 @@ jobs:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: ${{ matrix.python }}
 

@@ -1,5 +1,5 @@
-# Automatically rebase one branch on top of another; usually staging on top
-# of main after a new package version was published.
+# Automatically rebase one branch on top of another; usually main on top
+# of release after a new package version was published.
 
 name: Rebase branch
 on:
@@ -34,7 +34,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

@@ -41,7 +41,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true

@@ -5,12 +5,12 @@ name: CodeQL
 on:
   push:
     branches:
+    - release
     - main
-    - staging
   pull_request:
     branches:
+    - release
     - main
-    - staging
     # Avoid unnecessary scans of pull requests.
     paths:
     - '**/*.py'
@@ -37,7 +37,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -46,7 +46,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: ${{ matrix.python }}
 
@@ -58,7 +58,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
       with:
         languages: ${{ matrix.language }}
         config-file: .github/codeql/codeql-config.yaml
@@ -71,4 +71,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
@@ -27,7 +27,7 @@
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: '3.13'
 
@@ -36,7 +36,7 @@
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.1.0'
+        pip install 'commitizen ==4.5.0'
 
     # Run Commitizen to check the title of the PR which triggered this workflow, and check
     # all commit messages of the PR's branch. If any of the checks fails then this job fails.

@@ -1,12 +1,12 @@
 # We run checks on pushing to the specified branches.
-# Pushing to main also triggers a release.
+# Pushing to release also triggers a release.
 
 name: Check and Release
 on:
   push:
     branches:
+    - release
     - main
-    - staging
 permissions:
   contents: read
 
@@ -19,18 +19,18 @@
     with:
       disable-pip-audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
 
-  # On pushes to the 'main' branch create a new release by bumping the version
+  # On pushes to the 'release' branch create a new release by bumping the version
   # and generating a change log. That's the new bump commit and associated tag.
   bump:
     needs: check
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/release'
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -42,14 +42,14 @@
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: '3.13'
 
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.1.0'
+        pip install 'commitizen ==4.5.0'
 
     - name: Set up user
       run: |
@@ -77,7 +77,7 @@
 
   # When triggered by the version bump commit, build the package and publish the release artifacts.
   build:
-    if: github.ref == 'refs/heads/main' && startsWith(github.event.commits[0].message, 'bump:')
+    if: github.ref == 'refs/heads/release' && startsWith(github.event.commits[0].message, 'bump:')
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
@@ -98,7 +98,7 @@
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -126,14 +126,14 @@
 
     # Create the Release Notes using commitizen.
     - name: Set up Python
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: '3.13'
 
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.1.0'
+        pip install 'commitizen ==4.5.0'
 
     - name: Create Release Notes
       run: cz changelog --dry-run "$(cz version --project)" > RELEASE_NOTES.md
@@ -199,7 +199,7 @@
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -256,19 +256,19 @@
     secrets:
       REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
 
-  # After the bump commit was pushed to the main branch, rebase the staging branch
-  # (to_head argument) on top of the new main branch (from_base argument), to keep
+  # After the bump commit was pushed to the release branch, rebase the main branch
+  # (to_head argument) on top of the new release branch (from_base argument), to keep
   # the histories of both branches in sync.
-  rebase_staging:
+  rebase_main:
     # if: ${{ false }}
     needs: [release]
-    name: Rebase staging branch on main
+    name: Rebase main branch on release
     uses: ./.github/workflows/_generate-rebase.yaml
     permissions:
       contents: read
     with:
-      to-head: staging
-      from-base: origin/main
+      to-head: main
+      from-base: origin/release
       git-user-name: jenstroeger
       git-user-email: jenstroeger@users.noreply.github.com
     secrets:

@@ -26,7 +26,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
@@ -59,6 +59,6 @@ jobs:
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
       with:
         sarif_file: results.sarif
@@ -35,7 +35,7 @@ jobs:
       with:
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
         fetch-depth: 0
-        ref: staging
+        ref: main
         path: repo
 
     - name: Sync with template
@@ -84,7 +84,7 @@ jobs:
             git push --set-upstream origin "$BRANCH_NAME"
 
             # Create the pull request.
-            gh pr create --base staging --head "$BRANCH_NAME" --title "chore: sync with template $LATEST_VERSION" --body "This PR was generated automatically."
+            gh pr create --base main --head "$BRANCH_NAME" --title "chore: sync with template $LATEST_VERSION" --body "This PR was generated automatically."
 
           fi
         fi
@@ -15,7 +15,7 @@ repos:
 
 # Commitizen enforces semantic and conventional commit messages.
 - repo: https://github.com/commitizen-tools/commitizen
-  rev: v4.1.0
+  rev: v4.5.0
   hooks:
   - id: commitizen
     name: Check conventional commit message