fix(ci): resolve security scanner warnings in workflow files

[olivermeyer]

Why?
The security scanner flagged medium-severity vulnerabilities in three CI workflow files: uv run python -c "import tomli..." calls were flagged for omitting --no-build and using an unlocked external dependency, and uv sync in the bump workflow was flagged for not preventing source builds.

How?
Replaced all uv run python -c "import tomli..." version-extraction calls with POSIX grep/sed (no Python or external package needed, since the version field is a plain string in pyproject.toml). Added --no-build to uv sync in bump.yml to restrict installation to pre-built wheels only.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

[claude]

Claude finished @olivermeyer's task in 2m 31s —— View job

---

PR Review Complete ✅

Todo List

• Read project documentation and guidelines
• Analyze the PR changes (diff and commit history)
• Review workflow file changes for correctness
• Verify grep/sed version extraction logic
• Check security implications and best practices
• Review ATTRIBUTIONS.md update
• Post comprehensive review feedback

---

Review Summary

Overall Assessment: ✅ APPROVED - This is a well-executed security fix that effectively addresses scanner warnings while simplifying the CI/CD workflows.

Changes Reviewed

1. Version Extraction (.github/workflows/_test.yml, .github/workflows/_scheduled-test-daily.yml)

Before:

TOML_VERSION=$(uv run python -c "import tomli; print(tomli.load(open('pyproject.toml', 'rb'))['project']['version'])")

After:

TOML_VERSION=$(grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')

✅ Correct: I tested this command and it extracts 0.14.0 correctly from pyproject.toml
✅ Secure: Removes dependency on external Python package tomli
✅ Simple: Pure POSIX shell, no Python interpreter needed
✅ Robust: The pattern ^version = anchors to line start, avoiding false matches with target-version, required-version, etc.

2. Build Safety (.github/workflows/bump.yml)

Before:

uv sync --all-extras --frozen --link-mode=copy

After:

uv sync --all-extras --frozen --no-build --link-mode=copy

✅ Correct: The --no-build flag restricts installation to pre-built wheels only
✅ Secure: Prevents execution of arbitrary setup.py code during installation
✅ Appropriate: All project dependencies (FastAPI, Pydantic, commitizen, pytest, etc.) have pre-built wheels available

3. ATTRIBUTIONS.md

✅ Expected: Auto-generated version bump from 0.13.0 to 0.14.0 - this is normal and correct

---

Security Analysis

✅ Strengths

1. Eliminates external dependency: The tomli package is no longer imported during CI runs, reducing attack surface
2. Standard tooling: Uses POSIX-standard grep and sed that are already present in CI environment
3. Immutable approach: The grep/sed command is read-only and cannot modify files
4. Build isolation: --no-build flag prevents arbitrary code execution during package installation

⚠️ Minor Considerations

1. Sed pattern assumes spaces: The pattern version = "..." expects spaces around =. If pyproject.toml formatting changes to version="...", it will fail silently.

   • Risk level: LOW - TOML standard uses spaces, and commitizen maintains consistent formatting
   • Mitigation: Consider documenting this assumption or adding validation

2. No error handling: The command doesn't check if the version was successfully extracted

   • Risk level: LOW - If extraction fails, the variable will be empty, and subsequent steps will fail visibly
   • Mitigation: Could add || { echo "Error extracting version"; exit 1; } for explicit error handling

---

Code Quality

✅ Commit messages: Follow conventional commit format (fix(ci):)
✅ Consistency: Changes applied to all affected workflows
✅ Completeness: No remaining tomli references in workflow files
✅ Minimal changes: Only modified what's necessary to address security warnings

---

Testing Notes

I verified the grep/sed command works correctly:

$ grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/'
0.14.0

The command correctly:

• Matches only version = "0.14.0" (line 3)
• Ignores target-version, required-version, etc.
• Extracts the version number cleanly
• Handles semantic versions and prerelease versions (e.g., 1.2.3-rc1)

---

Recommendations

Optional Improvements (not blocking)

1. Add error handling for robustness:

   TOML_VERSION=$(grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/') || {
     echo "Error: Failed to extract version from pyproject.toml"
     exit 1
   }

2. Add inline documentation in workflows explaining the security rationale:

   # Use grep/sed instead of tomli to avoid external Python dependencies during CI
   TOML_VERSION=$(grep -m 1 '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')

3. Consider validation after extraction:

   [[ -n "$TOML_VERSION" ]] || { echo "Error: Version extraction failed"; exit 1; }

---

Conclusion

This PR successfully addresses the security scanner warnings through a clean, minimalist approach. The changes reduce the CI/CD attack surface by eliminating unnecessary Python dependencies and preventing source builds. The implementation is correct, well-structured, and follows project conventions.

Status: ✅ Ready to merge (pending CI checks)

The code quality gates (Codecov, SonarQube) have passed, confirming the changes don't introduce regressions.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud