fix: update CI workflows to use latest actions and Python versions

Author: nandgator

.github/workflows/pycqa.yaml

@@ -14,12 +14,12 @@ jobs:
     steps:
       # checkout repository
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       # set up specific python version
-      - name: Set up Python v3.9
-        uses: actions/setup-python@v5
+      - name: Set up Python v3.10
+        uses: actions/setup-python@v6
         with:
-          python-version: "3.9"
+          python-version: "3.10"
       # tooling
       - name: Install 'tooling' dependencies
         run: pip install -r package/requirements.tooling.txt
@@ -32,8 +32,8 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        os: [ubuntu-latest]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     runs-on: ${{ matrix.os }}
     steps:
       # checkout repository again!

.github/workflows/sast.yaml

@@ -1,40 +1,21 @@
 # Static Application Security Testing
 name: sast
+
 on:
   workflow_dispatch:
   push:
     branches: ["master"]
   pull_request:
     branches: ["master"]
-  schedule:
-    - cron: "00 00 * * 0"
+
 jobs:
   sast:
     permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      security-events: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
       - name: Bandit
-        uses: mdegis/bandit-action@85fcc340c3b0bf5d86029abb49b9aac916d807b2
+        uses: PyCQA/bandit-action@v1
         with:
-          # exit with 0, even with results found
-          # exit_zero: true # optional, default is DEFAULT
-          # Github token of the repository (automatically created by Github)
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
-          # File or directory to run bandit on
-          path: ./src/validators # optional, default is .
-          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # level: # optional, default is UNDEFINED
-          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # confidence: # optional, default is UNDEFINED
-          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-          excluded_paths: .github,.pytest_cache,.venv,.vscode,site,tests # optional, default is DEFAULT
-          # comma-separated list of test IDs to skip
-          # skips: # optional, default is DEFAULT
-          # path to a .bandit file that supplies command line arguments
-          # ini_path: # optional, default is DEFAULT
-# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
-# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+          targets: src/validators
+          exclude: .github,.pytest_cache,.venv,.vscode,site,tests

pyproject.toml

@@ -121,7 +121,7 @@ pythonPlatform = "All"
 typeCheckingMode = "strict"
 
 [tool.pytest.ini_options]
-minversion = ".6.0"
+minversion = "6.0"
 pythonpath = ["src"]
 testpaths = "tests"
 addopts = ["--doctest-modules"]