mailjet · skupriienko · May 26, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,23 @@
+name: CodeQL
+on:
+  push: { branches: [main] }
+  pull_request: { branches: [main] }
+  schedule: [{ cron: "37 3 * * 0" }]   # weekly full scan
+
+jobs:
+  analyze:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          queries: security-extended,security-and-quality
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"
diff --git a/.github/workflows/commit_checks.yaml b/.github/workflows/commit_checks.yaml
@@ -46,7 +46,6 @@ jobs:
           channels: defaults
           show-channel-urls: true
           environment-file: environment.yaml
-          cache: 'pip'  # Drastically speeds up CI by caching pip dependencies
 
       - name: Install dependencies and package
         run: |
@@ -60,7 +59,7 @@ jobs:
       - name: Install test dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install pytest
+          pip install pytest hypothesis
 
       - name: Run unit tests
-        run: pytest tests/unit/ -v
+        run: pytest tests/unit/ -v -m "not property_heavy"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -34,20 +34,25 @@ jobs:
 
       - name: Extract version
         id: get_version
+        # Use an intermediate environment variable to avoid shell injection
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
           # Get clean version from the tag or release
-          if [[ "${{ github.event_name }}" == "release" ]]; then
+          if [[ "$EVENT_NAME" == "release" ]]; then
             # For releases, get the version from the release tag
-            TAG_NAME="${{ github.event.release.tag_name }}"
+            TAG_NAME="$RELEASE_TAG"
           else
             # For tags, get version from the tag
-            TAG_NAME="${{ github.ref_name }}"
+            TAG_NAME="$REF_NAME"
           fi
 
           # Remove 'v' prefix
           VERSION=$(echo $TAG_NAME | sed 's/^v//')
 
-          # Check if this is a stable version (no rc, alpha, beta, dev, etc.)
+          # Check if this is a stable version
           if [[ $TAG_NAME =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "IS_STABLE=true" >> $GITHUB_ENV
           else

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,59 @@
+name: Security
+
+on:
+  push: { branches: [main] }
+  pull_request:
+  schedule: [{ cron: "0 5 * * *" }] # Daily security sweep
+
+permissions:
+  contents: read
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: 'pip'
+      - run: pip install ruff bandit mypy pip-audit
+      # Fast checks
+      - run: ruff check .
+      - run: bandit -c pyproject.toml -r mailjet_rest
+      - run: mypy --strict mailjet_rest
+
+  semgrep:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/python
+            p/owasp-top-ten
+            p/supply-chain
+            p/command-injection
+            p/insecure-transport
+          error: true # Fails CI if issues found
+
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.13" }
+      - run: pip install pip-audit
+      - run: pip-audit --strict
+
+  osv-scan:
+    permissions:
+      actions: read
+      security-events: write # For Security Tab
+      contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.8"
+    with:
+      # Explicit root scanning
+      scan-args: |-
+        --recursive
+        ./