mailgun · skupriienko-mailgun · Jun 10, 2026 · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026
diff --git a/.github/workflows/commit_checks.yaml b/.github/workflows/commit_checks.yaml
@@ -14,7 +14,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-python@v6
         with:
           python-version: '3.13'  # Specify a Python version explicitly
@@ -35,7 +35,7 @@ jobs:
       APIKEY: ${{ secrets.APIKEY }}
       DOMAIN: ${{ secrets.DOMAIN }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0  # Required for setuptools-scm
 
@@ -45,7 +45,6 @@ jobs:
           channels: defaults
           show-channel-urls: true
           environment-file: environment-dev.yaml
-          cache: 'pip'  # Drastically speeds up CI by caching pip dependencies
 
       - name: Install package
         run: |

diff --git a/.github/workflows/pr_validation.yml b/.github/workflows/pr_validation.yml
@@ -11,7 +11,7 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -18,7 +18,7 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,64 @@
+name: Continuous Security Verification
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '37 3 * * 0' # Run weekly on Sundays to catch newly published CVEs
+
+permissions:
+  contents: read
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+          cache: 'pip'
+      - run: python -m pip install --upgrade pip
+      - run: pip install ruff bandit mypy pip-audit
+      # Fast checks
+      - run: ruff check .
+      - run: bandit -c pyproject.toml -r mailgun
+      - run: mypy --strict mailgun
+
+  semgrep:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/python
+            p/owasp-top-ten
+            p/supply-chain
+            p/command-injection
+            p/insecure-transport
+          error: true # Fails CI if issues found
+
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-python@v6
+        with: { python-version: "3.13" }
+      - run: python -m pip install --upgrade pip
+      - run: pip install pip-audit
+      - run: pip-audit --strict
+
+  osv-scan:
+    permissions:
+      actions: read
+      security-events: write # For Security Tab
+      contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.8"
+    with:
+      # Explicit root scanning
+      scan-args: |-
+        --recursive
+        ./