Princeton-CDH · rlskoeser · May 26, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,6 +16,8 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
   # Enable version updates for pre-commit hooks
   - package-ecosystem: "pre-commit"
@@ -27,3 +29,5 @@ updates:
         # Group all pre-commit hook version updates together
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -23,6 +23,6 @@ jobs:
       || ! contains(github.event.action, 'label')
     steps:
       - name: Check changelog
-        uses: tarides/changelog-check-action@v3
+        uses: tarides/changelog-check-action@0189fc7eedec3ef3e9648c713908f6f2a6e99057  # v3
         with:
           changelog: CHANGELOG.md
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -21,7 +21,6 @@ on:
 
 permissions:
   contents: read
-  security-events: write
   pull-requests: read
 
 concurrency:
@@ -40,14 +39,14 @@ jobs:
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
       # required for all workflows
-      security-events: write
+      security-events: write  # to create upload of SARIF results
 
       # required to fetch internal or private CodeQL packs
       packages: read
 
       # only required for workflows in private repositories
       actions: read
-      contents: read
+      contents: read  # to checkout the repository
 
     strategy:
       fail-fast: false
@@ -67,7 +66,9 @@ jobs:
             # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -77,7 +78,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -106,7 +107,7 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v4.36.0
         with:
           category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
@@ -18,19 +18,22 @@ jobs:
     name: Validate GitFlow branch rules
     runs-on: ubuntu-latest
 
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+
     steps:
       - name: Check PRs to main
         if: github.base_ref == 'main'
         run: |
-          if [[ ${{ github.head_ref }} =~ "release/*" && ${{ github.head_ref }} =~ "hotfix/*" ]]; then
+          if [[ ${HEAD_REF} =~ "release/*" && ${HEAD_REF} =~ "hotfix/*" ]]; then
             echo "ERROR: PRs targeting main must come from a release or hotfix branch"
             exit 1
           fi
 
       - name: Check PRs to develop
         if: github.base_ref == 'develop'
         run: |
-          if [[ ${{ github.head_ref }} =~ "main" && ${{ github.head_ref }} =~ "feature/*" ]]; then
+          if [[ ${HEAD_REF} =~ "main" && ${HEAD_REF} =~ "feature/*" ]]; then
             echo "ERROR: PRs targeting develop must come from main or a feature branch"
             exit 1
           fi
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -11,7 +11,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: read  # required to checkout the repository
 
 jobs:
   pypi-publish:
@@ -23,10 +23,15 @@ jobs:
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.ref == 'main')
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.11"
       - name: Install dependencies
@@ -36,4 +41,4 @@ jobs:
       - name: Build package
         run: python -m build
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
diff --git a/.github/workflows/ruff-checks.yml b/.github/workflows/ruff-checks.yml
@@ -16,11 +16,14 @@ concurrency:
 
 jobs:
   ruff:
+    name: Ruff check and formatting
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
       - name: Run Ruff linter
-        uses: astral-sh/ruff-action@v3
+        uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b  # v4.0.0
         with:
           args: "check --output-format=github"
       - name: Run Ruff formatter

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -25,10 +25,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install uv and Python version
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
         with:
           python-version: ${{ matrix.python }}
 
@@ -40,7 +42,7 @@ jobs:
 
       # Only upload test coverage for Python 3.12
       - name: Upload test coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354  # v6.0.1
         if: matrix.python == '3.12'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -60,7 +62,7 @@ jobs:
       # at the organization level and available to all repositories. Only run on
       # scheduled builds & pushes, since PRs automatically report to Slack.
       - name: Report status to Slack
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661  # v2.3.3
         if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'push') }}
         continue-on-error: true
         env:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@
 repos:
   # Ruff Python linter and formatter (configs in pyproject.toml)
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.12
+    rev: 0c7b6c989466a93942def1f84baf36ddfcd60c83  # frozen: v0.15.14
     hooks:
       # Run the linter
       - id: ruff-check
@@ -14,7 +14,7 @@ repos:
       - id: ruff-format
   # mdformat for formatting Markdown files
   - repo: https://github.com/hukkin/mdformat
-    rev: 1.0.0
+    rev: 2d496dbc18e31b83a1596685347ffe0b6041daf0  # frozen: 1.0.0
     hooks:
       - id: mdformat
         # Optionally add plugins
@@ -23,19 +23,19 @@ repos:
           - mdformat-frontmatter  # support GitHub front-matter
   # yamlfmt for formatting YAML files
   - repo: https://github.com/google/yamlfmt
-    rev: v0.21.0
+    rev: b5ca1890231d5e1e5181fef75a1be609d1e25029  # frozen: v0.21.0
     hooks:
       - id: yamlfmt
   # Codespell for spell checking
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.2
+    rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a  # frozen: v2.4.2
     hooks:
       - id: codespell
         additional_dependencies:
           - tomli
   # Some out-of-the-box file checks
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks:
       # Check for files with merge conflict strings
       - id: check-merge-conflict
@@ -53,16 +53,16 @@ repos:
   # Check uv.lock file is up to date
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.11.11
+    rev: f19149a31a5aad375f89df042b796688201d6840  # frozen: 0.11.16
     hooks:
       - id: uv-lock
   # Validate Github Actions schema
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.37.2
+    rev: 943377262562a12b57292fc98fabd7dbf81451fe  # frozen: 0.37.2
     hooks:
       - id: check-github-workflows
   # Validate Github Actions workflow files
   - repo: https://github.com/mpalmer/action-validator
-    rev: v0.9.0
+    rev: 76a805bbfcba3506d6cdb4bba1810ab504e0d72b  # frozen: v0.9.0
     hooks:
       - id: action-validator
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,6 +32,7 @@ dependencies = [
     "addict",
     "cached-property",
     "requests",
+    "uv>=0.4.0",
 ]
 license = {text = "Apache License, Version 2.0"}
 requires-python = ">=3.8"
@@ -106,3 +107,6 @@ end_of_line = "lf"
 
 [tool.codespell]
 ignore-words-list = "pres"  # shorthand for presentation
+
+[tool.uv]
+exclude-newer = "7 days"
diff --git a/uv.lock b/uv.lock