bird-house · Zeitsperre · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025
diff --git a/.github/workflows/docker-testing.yml b/.github/workflows/docker-testing.yml
@@ -45,6 +45,8 @@ jobs:
           load: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # platforms: linux/amd64,linux/arm64
+          # sbom: false
           push: false
       - name: Run Docker image
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3.0.0

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -21,7 +21,13 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            ruf-repo-cdn.sigstore.dev:443
+            upload.pypi.org:443
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
@@ -21,7 +21,13 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            ruf-repo-cdn.sigstore.dev:443
+            test.pypi.org:443
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -23,4 +23,8 @@ RUN pip install . --no-deps
 
 # Start WPS service on port 5000 of 0.0.0.0
 EXPOSE 5000
+
+# Specify a non-root user to run the application
+USER nonroot
+
 CMD ["gunicorn", "--bind=0.0.0.0:5000", "-t 60", "finch.wsgi:application"]
diff --git a/environment-dev.yml b/environment-dev.yml
@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - pywps >=4.6

diff --git a/environment-docs.yml b/environment-docs.yml
@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - anyascii >=0.3.0
@@ -10,7 +11,7 @@ dependencies:
   - nbsphinx >=0.9.5
   - pandas >=2.2.0
   - pywps >=4.5.1
-  - setuptools >=71.0.0
+  - setuptools >=78.1.1
   - sphinx >=7.0.0,<8.2.0 # Pinned until nbsphinx supports Sphinx 8.2
   - sphinxcontrib-bibtex >=2.6.0
   - xarray >=2023.11.0,<2025.3.0

diff --git a/environment.yml b/environment.yml
@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - pip >=24.2.0
@@ -24,7 +25,7 @@ dependencies:
   - pyyaml >=6.0.1
   - scipy >=1.9.0
   - sentry-sdk
-  - setuptools >=71.0.0
+  - setuptools >=78.1.1
   - siphon
   - werkzeug >=3.0.6
   - xarray >=2023.11.0,<2025.03.0