Bring .github settings up-to-date (#336)

* Update pins and permissions for CI

* Add dependabot schedule to keep pins up-to-date

* Add codeql to do regular scans

* Make test workflow cross-platform compatible

* Fix file encoding for Windows

Author: nateprewitt

.github/codeql.yml

@@ -0,0 +1,2 @@
+paths:
+- "jmespath/"

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]

.github/workflows/codeql.yml

@@ -0,0 +1,35 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["develop"]
+  pull_request:
+    branches: ["develop"]
+  schedule:
+    - cron: "0 0 * * 5"
+
+permissions: "read"
+
+jobs:
+  analyze:
+    name: "Analyze"
+    runs-on: "ubuntu-latest"
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+    - name: "Checkout repository"
+      uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3"
+
+    - name: "Run CodeQL init"
+      uses: "github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
+      with:
+        config-file: "./.github/codeql.yml"
+        languages: "python"
+
+    - name: "Run CodeQL autobuild"
+      uses: "github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
+
+    - name: "Run CodeQL analyze"
+      uses: "github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb"

.github/workflows/run-tests.yml

@@ -2,28 +2,31 @@ name: Run Tests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest]
+        os: [ubuntu-latest, macOS-latest, windows-latest]
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
         pip install pip==25.1.0
         pip install -r requirements.txt
-        python -m build --wheel
-        pip install dist/*.whl
+        python -m pip install .
     - name: Test with pytest
       run: |
         cd tests/ && python -m pytest --cov jmespath --cov-report term-missing
+

requirements.txt

@@ -6,4 +6,3 @@ hypothesis==5.35.4
 # Setuptools is no longer provided by default in Python 3.12+
 setuptools==71.1.0 ; python_version >= '3.12'
 packaging==24.1 ; python_version >= '3.12'
-build==1.2.2.post1

tests/test_compliance.py

@@ -48,19 +48,20 @@ def _walk_files():
 
 
 def load_cases(full_path):
-    all_test_data = json.load(open(full_path), object_pairs_hook=OrderedDict)
-    for test_data in all_test_data:
-        given = test_data['given']
-        for case in test_data['cases']:
-            if 'result' in case:
-                test_type = 'result'
-            elif 'error' in case:
-                test_type = 'error'
-            elif 'bench' in case:
-                test_type = 'bench'
-            else:
-                raise RuntimeError("Unknown test type: %s" % json.dumps(case))
-            yield (given, test_type, case)
+    with open(full_path, 'r', encoding='utf-8') as f:
+        all_test_data = json.load(f, object_pairs_hook=OrderedDict)
+        for test_data in all_test_data:
+            given = test_data['given']
+            for case in test_data['cases']:
+                if 'result' in case:
+                    test_type = 'result'
+                elif 'error' in case:
+                    test_type = 'error'
+                elif 'bench' in case:
+                    test_type = 'bench'
+                else:
+                    raise RuntimeError(f"Unknown test type: {json.dumps(case)}")
+                yield (given, test_type, case)
 
 
 @pytest.mark.parametrize(