build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0

.github/workflows/actionlint.yml

@@ -30,9 +30,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Harden Runner"
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            auth.docker.io:443
+            cdn.fwupd.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
 
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/docs.yml

@@ -33,9 +33,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Harden Runner"
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo-and-containers: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/lint.yml

@@ -59,9 +59,15 @@ jobs:
               tox -e mypy
     steps:
       - name: "Harden Runner"
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo-and-containers: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            json-schema.org:443
+            pypi.org:443
 
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/pypi.yml

@@ -34,20 +34,27 @@ jobs:
         name: Build and check packages
         runs-on: ubuntu-latest
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-
-            - name: "Checkout"
-              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-              with:
-                  # for setuptools-scm
-                  fetch-depth: 0
-
-            - name: "Build and Inspect"
-              uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0
+          - name: "Harden Runner"
+            uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+            with:
+                disable-sudo-and-containers: true
+                egress-policy: block
+                allowed-endpoints: >
+                    astral.sh:443
+                    files.pythonhosted.org:443
+                    github.com:443
+                    objects.githubusercontent.com:443
+                    pypi.org:443
+                    release-assets.githubusercontent.com:443
+
+          - name: "Checkout"
+            uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            with:
+                # for setuptools-scm
+                fetch-depth: 0
+
+          - name: "Build and Inspect"
+            uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0
 
     # push to Test PyPI on
     # - a new GitHub release is published
@@ -64,21 +71,29 @@ jobs:
         needs: build-package
 
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-            - name: "Download build artifacts"
-              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-              with:
-                  name: Packages
-                  path: dist
-
-            - name: "Upload to Test PyPI"
-              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
-              with:
-                  repository-url: https://test.pypi.org/legacy/
+          - name: "Harden Runner"
+            uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+            with:
+                disable-sudo-and-containers: true
+                egress-policy: block
+                allowed-endpoints: >
+                    fulcio.sigstore.dev:443
+                    ghcr.io:443
+                    pkg-containers.githubusercontent.com:443
+                    rekor.sigstore.dev:443
+                    test.pypi.org:443
+                    tuf-repo-cdn.sigstore.dev:443
+
+          - name: "Download build artifacts"
+            uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+            with:
+                name: Packages
+                path: dist
+
+          - name: "Upload to Test PyPI"
+            uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+            with:
+                repository-url: https://test.pypi.org/legacy/
 
     # push to Production PyPI on
     # - a new GitHub release is published
@@ -96,36 +111,44 @@ jobs:
         needs: build-package
 
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-            - name: "Download build artifacts"
-              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-              with:
-                  name: Packages
-                  path: dist
-
-            - name: "Sigstore sign package"
-              uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1
-              with:
-                  inputs: |
-                      ./dist/*.tar.gz
-                      ./dist/*.whl
-                  release-signing-artifacts: false
-
-            - name: "Upload artifacts and signatures to GitHub release"
-              run: |
-                  gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
-              env:
-                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-            # PyPI does not accept .sigstore artifacts and
-            # gh-action-pypi-publish has no option to ignore them.
-            - name: "Remove sigstore signatures before uploading to PyPI"
-              run: |
-                  rm ./dist/*.sigstore.json
-
-            - name: "Upload to PyPI"
-              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+          - name: "Harden Runner"
+            uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+            with:
+                disable-sudo-and-containers: true
+                egress-policy: block
+                allowed-endpoints: >
+                    fulcio.sigstore.dev:443
+                    ghcr.io:443
+                    pkg-containers.githubusercontent.com:443
+                    rekor.sigstore.dev:443
+                    pypi.org:443
+                    tuf-repo-cdn.sigstore.dev:443
+
+          - name: "Download build artifacts"
+            uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+            with:
+                name: Packages
+                path: dist
+
+          - name: "Sigstore sign package"
+            uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1
+            with:
+                inputs: |
+                    ./dist/*.tar.gz
+                    ./dist/*.whl
+                release-signing-artifacts: false
+
+          - name: "Upload artifacts and signatures to GitHub release"
+            run: |
+                gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
+            env:
+                GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # PyPI does not accept .sigstore artifacts and
+          # gh-action-pypi-publish has no option to ignore them.
+          - name: "Remove sigstore signatures before uploading to PyPI"
+            run: |
+                rm ./dist/*.sigstore.json
+
+          - name: "Upload to PyPI"
+            uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4

.github/workflows/test.yml

@@ -48,9 +48,14 @@ jobs:
           - "ubuntu-latest"
     steps:
       - name: "Harden Runner"
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo-and-containers: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
 
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

src/instructlab/schema/taxonomy.py

@@ -321,7 +321,7 @@ def _schema_validate(self, text: str, taxonomy: Taxonomy) -> None:
             validator_cls = validator_for(schema)
             # mypy doesn't understand attrs classes fields, see: https://github.com/python/mypy/issues/5406
             registry: SchemaRegistry = Registry(retrieve=retrieve)  # type: ignore[call-arg]
-            validator: Validator = validator_cls(schema, registry=registry)
+            validator: Validator = validator_cls(schema, registry=registry)  # type: ignore[arg-type]
 
             for validation_error in validator.iter_errors(taxonomy.contents):
                 yaml_path = validation_error.json_path[1:]