CoReason-AI · dk-uppi-aks · May 10, 2026 · May 10, 2026 · May 10, 2026 · May 10, 2026
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,4 @@
+*.rs linguist-detectable=false
+*.rlib linguist-detectable=false
+Cargo.toml linguist-detectable=false
+Cargo.lock linguist-detectable=false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,17 +33,17 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: actions/checkout@v4
 
       - name: Substrate Purity Verification
         run: git clean -xfd -e .uv_cache
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -113,17 +113,17 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: actions/checkout@v4
 
       - name: Substrate Purity Verification
         run: git clean -xfd -e .uv_cache
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -164,17 +164,17 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: actions/checkout@v4
 
       - name: Substrate Purity Verification
         run: git clean -xfd -e .uv_cache
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -230,29 +230,31 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: actions/checkout@v4
 
       - name: Substrate Purity Verification
         run: git clean -xfd -e .uv_cache
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
 
       - name: Build wheel (attempt 1)
         run: |
+          export SOURCE_DATE_EPOCH=315532800
           uv build --out-dir dist1
           sha256sum dist1/*.whl | tee /tmp/hash1.txt
         shell: bash
 
       - name: Build wheel (attempt 2)
         run: |
+          export SOURCE_DATE_EPOCH=315532800
           uv build --out-dir dist2
           sha256sum dist2/*.whl | tee /tmp/hash2.txt
         shell: bash

diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ "coreason-develop", "main" ]
 
+
+permissions:
+  contents: read
+
 jobs:
   trivy:
     runs-on: [self-hosted, hetzner, x64]

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -24,17 +24,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           fetch-tags: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -50,10 +50,10 @@ jobs:
         run: uv run zensical build --clean
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
+        uses: actions/upload-pages-artifact@v3
         with:
           path: site
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/nightly-fuzzing.yml b/.github/workflows/nightly-fuzzing.yml
@@ -18,14 +18,14 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,80 +1,84 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - 'v*.*.*'
-      - '*.*.*'
-
-permissions:
-  contents: write
-  id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore
-  pages: write    # Required for GitHub Pages deployment
-  attestations: write # Required for SLSA build provenance
-
-env:
-  UV_PYTHON_PREFERENCE: "only-managed"
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  release:
-    runs-on: [self-hosted, hetzner, x64]
-    timeout-minutes: 30
-    environment: pypi
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        with:
-          fetch-depth: 0 # Required for hatch-vcs to calculate the version dynamically
-          fetch-tags: true # Crucial for annotated tags to resolve properly during build
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-        with:
-          enable-cache: true
-          cache-dependency-glob: "uv.lock"
-          python-version: "3.14"
-
-      - name: Install dependencies
-        run: |
-          uv python uninstall 3.14t || true
-          uv python install 3.14
-          uv sync --all-extras --dev --python 3.14 --frozen
-
-      - name: Build Artifacts
-        run: uv build
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          format: spdx-json
-          output-file: sbom.spdx.json
-
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          attestations: false # Requires Enterprise Cloud or public repo
-
-      - name: Sign Wheel
-        uses: sigstore/gh-action-sigstore-python@v3.3.0
-        with:
-          inputs: >-
-            dist/*.whl
-            dist/*.tar.gz
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v3
-        with:
-          files: |
-            dist/*.whl
-            dist/*.tar.gz
-            dist/*.sigstore.json
-            sbom.spdx.json
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+      - '*.*.*'
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+  id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore
+  pages: write    # Required for GitHub Pages deployment
+  # attestations: write # Required for SLSA build provenance
+
+env:
+  UV_PYTHON_PREFERENCE: "only-managed"
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    runs-on: [self-hosted, hetzner, x64]
+    timeout-minutes: 30
+    environment: pypi
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for hatch-vcs to calculate the version dynamically
+          fetch-tags: true # Crucial for annotated tags to resolve properly during build
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.14"
+
+      - name: Install dependencies
+        run: |
+          uv python uninstall 3.14t || true
+          uv python install 3.14
+          uv sync --all-extras --dev --python 3.14 --frozen
+
+      - name: Build Artifacts
+        run: uv build
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1 # release/v1
+        with:
+          attestations: false # Requires Enterprise Cloud or public repo
+
+      - name: Sign Wheel
+        uses: sigstore/gh-action-sigstore-python@v3.3.0
+        with:
+          inputs: >-
+            dist/*.whl
+            dist/*.tar.gz
+          release-signing-artifacts: true
+          source: false
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
+            dist/*.sigstore.json
+            sbom.spdx.json
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -0,0 +1,23 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: googleapis/release-please-action@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -24,7 +24,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Trufflehog Secret Scan
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@0c381f12b3f9a934f33fc61bf003599f5323ff55
         with:
           base: ${{ github.event.repository.default_branch }}
           head: HEAD
@@ -44,7 +44,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
           python-version: '3.14'
@@ -79,7 +79,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Compliance Reports as Artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: security-audit-reports
           path: |