fabriziosalmi/certmate v2.6.3

v2.6.3 - pin all CI dependencies by SHA + base image digest

on GitHub

Closes Scorecard Pinned-Dependencies (0/10 -> ~9/10). Single biggest score uplift on the path from the v2.6.2 baseline.

What landed

• All 20 GitHub Action usages across 4 workflows pinned to commit SHA, with the version tag preserved as a trailing comment for human review. Dependabot now opens PRs when upstream tags move; each is a deliberate review instead of an implicit inheritance.
• Three actions bumped to current major (their old version emitted a runner-deprecation warning anyway):
  • actions/setup-python v4 -> v5
  • actions/cache v3 -> v4
  • codecov/codecov-action v3 -> v5
  • peter-evans/dockerhub-description v3 -> v4
• aquasecurity/trivy-action@master -> v0.36.0 SHA. @master in CI is an active risk class - upstream HEAD changes silently bring new behaviour or, in the worst case, become an attack surface if the upstream repo is compromised. Now pinned to a tested version.
• Dockerfile base image pinned by sha256 digest in both build stages. CVE fixes on the base now arrive only when we bump the digest deliberately, not implicitly on the next docker build.

First release with bump-inside-PR pattern

Shipped under the new main branch protection rules established alongside v2.6.2 - required status checks (build, test (3.12), Analyze python, Analyze javascript), conversation resolution required, required_linear_history enforced. The version bump is the fourth commit on the PR branch rather than a separate post-merge commit on main.

Expected Scorecard impact

• Pinned-Dependencies: 0/10 -> ~9/10 (pipCommand warnings remain - that's a separate bigger lift to pip install --require-hashes).
• Overall: from ~7.0 (post v2.6.2) -> ~8/10 at the next weekly Scorecard run.

Closes #197.