Release 0.6.1, add security checks and badges

Author: dannyadair

.github/workflows/bandit.yaml

@@ -0,0 +1,28 @@
+name: bandit
+
+on:
+  pull_request:
+    branches:
+      - "main*"
+  push:
+    branches:
+      - "main"
+
+jobs:
+  bandit:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install uv and sync dev dependencies
+        run: |
+          pip install uv
+          uv venv
+          echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV
+          echo "$PWD/.venv/bin" >> $GITHUB_PATH
+          uv sync --dev
+      - name: Run Bandit
+        run: |
+          bandit -r pdfbaker/

.github/workflows/ossf-scorecard.yaml

@@ -0,0 +1,19 @@
+name: OSSF Scorecard
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run OSS Scorecard
+        uses: ossf/scorecard-action@v2
+        with:
+          repo: ${{ github.repository }}

.github/workflows/pip-audit.yaml

@@ -0,0 +1,28 @@
+name: pip-audit
+
+on:
+  pull_request:
+    branches:
+      - "main*"
+  push:
+    branches:
+      - "main"
+
+jobs:
+  pip-audit:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install uv and sync dev dependencies
+        run: |
+          pip install uv
+          uv venv
+          echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV
+          echo "$PWD/.venv/bin" >> $GITHUB_PATH
+          uv sync --dev
+      - name: Run pip-audit
+        run: |
+          pip-audit

README.md

@@ -5,6 +5,9 @@
 [![Downloads](https://img.shields.io/pypi/dw/pdfbaker?color=blue)](https://pypistats.org/packages/pdfbaker)
 [![tests](https://github.com/pythonnz/pdfbaker/actions/workflows/tests.yaml/badge.svg)](https://github.com/pythonnz/pdfbaker/actions/workflows/tests.yaml)
 [![codecov](https://img.shields.io/codecov/c/github/pythonnz/pdfbaker)](https://codecov.io/gh/pythonnz/pdfbaker)
+[![OSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/pythonnz/pdfbaker?label=OSSF%20Scorecard)](https://scorecard.dev/viewer/?uri=github.com/pythonnz/pdfbaker)
+[![pip-audit](https://img.shields.io/github/actions/workflow/status/pythonnz/pdfbaker/pip-audit.yaml?label=pip-audit&logo=python)](https://github.com/pythonnz/pdfbaker/actions/workflows/pip-audit.yaml)
+[![bandit](https://img.shields.io/github/actions/workflow/status/pythonnz/pdfbaker/bandit.yaml?label=bandit&logo=python)](https://github.com/pythonnz/pdfbaker/actions/workflows/bandit.yaml)
 [![Last commit](https://img.shields.io/github/last-commit/pythonnz/pdfbaker?color=lightgrey)](https://github.com/pythonnz/pdfbaker/commits/main)
 [![License](https://img.shields.io/github/license/pythonnz/pdfbaker?color=lightgrey)](https://github.com/pythonnz/pdfbaker/blob/main/LICENSE)
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "pdfbaker"
-version = "0.5.2"
+version = "0.6.1"
 description = "SVG Jinja templates + YAML config = PDF documents"
 authors = [
     { name = "Danny W. Adair", email = "danny.adair@unfold.nz" }
@@ -26,8 +26,13 @@ build-backend = "hatchling.build"
 [tool.uv]
 managed = true
 dev-dependencies = [
+    # --- Testing
     "pytest",
     "pytest-cov",
+
+    # --- Security
+    "pip-audit",
+    "bandit"
 ]
 
 [tool.hatch.metadata]