chore: support python 3.14 in CI and docker

chore(deps): update github/codeql-action action to v4 (#51 )
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-01-09 08:27:40 +01:00 · 2026-01-09 08:22:49 +01:00 · 2026-01-09 08:20:27 +01:00 · 2026-01-09 08:18:02 +01:00
6 changed files with 36 additions and 36 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -62,7 +62,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      # For nightly builds, get the latest release version
      - name: Get latest release version
@@ -91,15 +91,15 @@ jobs:

      - name: Set up QEMU
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/setup-qemu-action@v3.7.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Log in to Container Registry
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -109,7 +109,7 @@ jobs:
      - name: Extract metadata (release)
        id: meta-release
        if: github.event_name == 'release'
-        uses: docker/metadata-action@v5.10.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -123,7 +123,7 @@ jobs:
      - name: Extract metadata (nightly)
        id: meta-nightly
        if: github.event_name == 'schedule' && steps.get-version.outputs.skip != 'true'
-        uses: docker/metadata-action@v5.10.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -138,7 +138,7 @@ jobs:
      - name: Extract metadata (manual)
        id: meta-manual
        if: github.event_name == 'workflow_dispatch'
-        uses: docker/metadata-action@v5.10.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -148,7 +148,7 @@ jobs:
      - name: Build and push (release)
        id: build-release
        if: github.event_name == 'release'
-        uses: docker/build-push-action@v6.18.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -164,7 +164,7 @@ jobs:
      - name: Build and push (nightly)
        id: build-nightly
        if: github.event_name == 'schedule' && steps.get-version.outputs.skip != 'true'
-        uses: docker/build-push-action@v6.18.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -180,7 +180,7 @@ jobs:
      - name: Build and push (manual)
        id: build-manual
        if: github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@v6.18.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -209,7 +209,7 @@ jobs:
      # Vulnerability scanning
      - name: Run Trivy vulnerability scanner
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image-tag.outputs.tag }}
          format: "sarif"
@@ -219,7 +219,7 @@ jobs:

      - name: Upload Trivy scan results
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: github/codeql-action/upload-sarif@v3.28.4
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: "trivy-results.sarif"
        continue-on-error: true
@@ -240,7 +240,7 @@ jobs:
      # Attestation (releases only)
      - name: Generate attestation
        if: github.event_name == 'release'
-        uses: actions/attest-build-provenance@v3.1.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.build-release.outputs.digest }}
@@ -253,14 +253,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Build image (PR)
        id: build-pr
-        uses: docker/build-push-action@v6.18.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -26,7 +26,7 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Release Please
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
        with:
          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
          config-file: release-please-config.json
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,17 +17,17 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        python-version: ["3.11", "3.12"]
+        python-version: ["3.11", "3.12", "3.13", "3.14"]

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Set up uv
-        uses: astral-sh/setup-uv@v7.2.0
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@@ -68,8 +68,8 @@ jobs:
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Upload coverage HTML report
-        uses: actions/upload-artifact@v4
-        if: always() && matrix.python-version == '3.12'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        if: always() && matrix.python-version == '3.14'
        with:
          name: coverage-report-html-${{ matrix.python-version }}
          path: htmlcov/
@@ -77,8 +77,8 @@ jobs:
          retention-days: 7

      - name: Upload coverage XML report
-        uses: actions/upload-artifact@v4
-        if: always() && matrix.python-version == '3.12'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        if: always() && matrix.python-version == '3.14'
        with:
          name: coverage-report-xml-${{ matrix.python-version }}
          path: coverage.xml
@@ -86,7 +86,7 @@ jobs:
          retention-days: 7

      - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        if: always()
        with:
          name: test-results-${{ matrix.python-version }}
@@ -97,17 +97,17 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
-          python-version: "3.12"
+          python-version: "3.14"

      - name: Set up uv
-        uses: astral-sh/setup-uv@v7.2.0
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
        with:
          enable-cache: true
-          python-version: "3.12"
+          python-version: "3.14"

      - name: Install linters
        run: uv sync --locked --extra dev --no-install-project
--- a/4
+++ b/4
@@ -6,7 +6,7 @@ FROM ghcr.io/astral-sh/uv:0.9.22@sha256:2320e6c239737dc73cccce393a8bb89eba2383d1
 # =============================================================================
 # Stage 1: Build dependencies
 # =============================================================================
-FROM python:3.12-slim-bookworm AS builder
+FROM python:3.14-slim-bookworm AS builder

 # Ofelia version and checksums (verified from GitHub releases)
 ARG OFELIA_VERSION=0.3.12
@@ -53,7 +53,7 @@ RUN pip install --no-cache-dir --upgrade pip && \
 # =============================================================================
 # Stage 2: Runtime
 # =============================================================================
-FROM python:3.12-slim-bookworm
+FROM python:3.14-slim-bookworm

 # OCI Labels
 LABEL org.opencontainers.image.source="https://github.com/jorijn/meshcore-stats"
--- a/README.md
+++ b/README.md
@@ -162,7 +162,7 @@ For environments where Docker is not available.

 #### Requirements

- Python 3.10+
+- Python 3.11+ (3.14 recommended)
 - SQLite3
 - [uv](https://github.com/astral-sh/uv)

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,7 +15,7 @@ services:
  # MeshCore Stats - Data collection and rendering
  # ==========================================================================
  meshcore-stats:
-    image: ghcr.io/jorijn/meshcore-stats:0.2.11 # x-release-please-version
+    image: ghcr.io/jorijn/meshcore-stats:0.2.11@sha256:82ca2230abba7d8846315a4fa09f1a2407695caf73fef029e6e6ea83c60c4290 # x-release-please-version
    container_name: meshcore-stats
    restart: unless-stopped

@@ -78,7 +78,7 @@ services:
  # nginx - Static site server
  # ==========================================================================
  nginx:
-    image: nginx:1.29-alpine
+    image: nginx:1.29-alpine@sha256:8491795299c8e739b7fcc6285d531d9812ce2666e07bd3dd8db00020ad132295
    container_name: meshcore-stats-nginx
    restart: unless-stopped
Author	SHA1	Message	Date
Jorijn Schrijvershof	ecb57d991c	chore: support python 3.14 in CI and docker	2026-01-09 08:27:40 +01:00
renovate[bot]	83425a48f6	chore(deps): update github/codeql-action action to v4 (#51 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-01-09 08:22:49 +01:00
renovate[bot]	9cb95f8108	chore(deps): pin dependencies (#55 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-01-09 08:20:27 +01:00
Jorijn Schrijvershof	1f6e7c5093	ci: switch actions to version tags for renovate digests (#54 )	2026-01-09 08:18:02 +01:00