0.30

.github/workflows/codeql.yml

@@ -13,12 +13,11 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main", "develop" ]
+    branches: [ "main" ]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [ "main" ]
   schedule:
-    - cron: '40 16 * * 6'
+    - cron: '26 17 * * 2'
 
 jobs:
   analyze:
@@ -31,9 +30,12 @@ jobs:
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
       actions: read
       contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
@@ -46,11 +48,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -77,6 +79,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -1,20 +1,39 @@
 # Dependency Review Action
 #
-# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable
+# packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: 'Dependency Review'
-on: [pull_request]
+name: 'Dependency review'
+on:
+  pull_request:
+    branches: [ "main" ]
 
+# If using a dependency submission action in this workflow this permission will need to be set to:
+#
+# permissions:
+#   contents: write
+#
+# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
 permissions:
   contents: read
+  # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+  pull-requests: write
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4
+        # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
+        with:
+          comment-summary-in-pr: always
+        #   fail-on-severity: moderate
+        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
+        #   retry-on-snapshot-warnings: true

.github/workflows/docker-publish.yml

@@ -7,7 +7,7 @@ name: Docker
 
 on:
   schedule:
-    - cron: '33 10 * * *'
+    - cron: '40 1 * * *'
   push:
     branches: [ "main" ]
     # Publish semver tags as releases.

.github/workflows/python-app.yml

@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Python 3.11
+      - name: Set up Python 3.12
         uses: actions/setup-python@v4
         with:
-          python-version: 3.11
+          python-version: 3.12
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -32,7 +32,7 @@ jobs:
         run: bandit -r . -x /tests
       - name: Check code formatting
         run: |
-          black . -t py311 -l 120 --check
+          black . -t py312 -l 120 --check
           isort . -c
       - name: Lint with flake8
         run: |

.python-version

@@ -1 +1 @@
-3.11
+3.12

CHANGELOG.md

@@ -5,7 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/MashSoftware/time-tracker/compare/main...develop)
+## [Unreleased](https://github.com/MashSoftware/time-tracker/compare/main...v0.30.0)
+
+## [0.30.0](https://github.com/MashSoftware/time-tracker/compare/v0.29.0...v0.30.0) - 2024-xx-xx
+
+### Added
+
+- Strict HTTP Permissions Policy header.
+
+### Changed
+
+- Bump Python version to 3.12.2.
 
 ## [0.29.0](https://github.com/MashSoftware/time-tracker/compare/v0.28.3...v0.29.0) - 2023-10-30
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-slim
+FROM python:3.12-slim
 
 RUN useradd containeruser
 

app/__init__.py

@@ -43,6 +43,52 @@ def create_app(config_class=Config):
         "img-src": ["data:", "'self'"],
     }
 
+    # Set permissions policy
+    permissions_policy = {
+        "accelerometer": "()",
+        "ambient-light-sensor": "()",
+        "autoplay": "()",
+        "battery": "()",
+        "camera": "()",
+        "cross-origin-isolated": "()",
+        "display-capture": "()",
+        "document-domain": "()",
+        "encrypted-media": "()",
+        "execution-while-not-rendered": "()",
+        "execution-while-out-of-viewport": "()",
+        "fullscreen": "()",
+        "geolocation": "()",
+        "gyroscope": "()",
+        "keyboard-map": "()",
+        "magnetometer": "()",
+        "microphone": "()",
+        "midi": "()",
+        "navigation-override": "()",
+        "payment": "()",
+        "picture-in-picture": "()",
+        "publickey-credentials-get": "()",
+        "screen-wake-lock": "()",
+        "sync-xhr": "()",
+        "usb": "()",
+        "web-share": "()",
+        "xr-spatial-tracking": "()",
+        "clipboard-read": "()",
+        "clipboard-write": "()",
+        "gamepad": "()",
+        "speaker-selection": "()",
+        "conversion-measurement": "()",
+        "focus-without-user-activation": "()",
+        "hid": "()",
+        "idle-detection": "()",
+        "interest-cohort": "()",
+        "serial": "()",
+        "sync-script": "()",
+        "trust-token-redemption": "()",
+        "unload": "()",
+        "window-management": "()",
+        "vertical-scroll": "()",
+    }
+
     # Initialise app extensions
     assets.init_app(app)
     compress.init_app(app)
@@ -51,7 +97,12 @@ def create_app(config_class=Config):
     limiter.init_app(app)
     login.init_app(app)
     migrate.init_app(app, db)
-    talisman.init_app(app, content_security_policy=csp, content_security_policy_nonce_in=["style-src"])
+    talisman.init_app(
+        app,
+        content_security_policy=csp,
+        content_security_policy_nonce_in=["style-src"],
+        permissions_policy=permissions_policy,
+    )
 
     # Create static asset bundles
     js = Bundle("src/js/*.js", filters="jsmin", output="dist/js/custom-%(version)s.min.js")

app/templates/base.html

@@ -35,7 +35,7 @@
     <meta name="theme-color" content="#212529">
 
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" integrity="sha256-MBffSnbbXwHCuZtgPYiwMQbfE7z+GOZ7fBPCNB06Z98=" crossorigin="anonymous">
-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.1/font/bootstrap-icons.css" integrity="sha256-u2/YzYU5TLNn6KxY5HKS8taOsoj6Evq2jmVDCl3fzkg=" crossorigin="anonymous">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css" integrity="sha256-9kPW/n5nn53j4WMRYAxe9c1rCY96Oogo/MKSVdKzPmI=" crossorigin="anonymous">
     <title>Mash Time Tracker{% if title %} | {{ title }}{% endif %}</title>
 </head>
 

migrations/versions/13384866a8a2_add_schedule.py

@@ -5,6 +5,7 @@
 Create Date: 2019-09-08 21:17:47.324158
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/133b4e91f81b_create_user_table.py

@@ -5,6 +5,7 @@
 Create Date: 2019-04-18 00:02:59.183837
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql

migrations/versions/302f5d0d3fb7_add_default_tag_id.py

@@ -5,6 +5,7 @@
 Create Date: 2021-03-07 08:33:21.726556
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql

migrations/versions/55b4d6070aa0_add_event_comment.py

@@ -5,6 +5,7 @@
 Create Date: 2020-12-03 08:44:09.199511
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/85a27b4f273d_remove_entry_limit.py

@@ -5,6 +5,7 @@
 Create Date: 2021-01-30 23:03:25.102789
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/89fec1d69a9d_create_event_table.py

@@ -5,6 +5,7 @@
 Create Date: 2019-04-23 10:18:50.019797
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql

migrations/versions/a0f729fa8c10_remove_user_name.py

@@ -5,6 +5,7 @@
 Create Date: 2019-04-23 22:50:41.512508
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/a9da40cf2371_add_entry_limit.py

@@ -5,6 +5,7 @@
 Create Date: 2019-07-01 23:57:32.993035
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/cf04f2a23d02_create_tag_table.py

@@ -5,6 +5,7 @@
 Create Date: 2019-07-26 14:12:01.532883
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql

migrations/versions/db8ced4ce2b2_add_activated_at.py

@@ -5,6 +5,7 @@
 Create Date: 2019-06-14 14:57:10.824952
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/e354a89547c4_add_entry_history.py

@@ -5,6 +5,7 @@
 Create Date: 2021-01-30 23:06:01.790266
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

migrations/versions/fd87ce16f8fd_add_location.py

@@ -5,6 +5,7 @@
 Create Date: 2022-08-08 22:58:24.951737
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql

migrations/versions/ffd26960aa0d_add_timezone.py

@@ -5,6 +5,7 @@
 Create Date: 2019-05-08 16:12:45.155437
 
 """
+
 import sqlalchemy as sa
 from alembic import op
 

requirements.in

@@ -2,7 +2,7 @@ bcrypt==4.1.2
 email_validator==2.1.0.post1
 flask-assets==2.1.0
 flask-compress==1.14
-flask-limiter[redis]==3.5.0
+flask-limiter[redis]==3.5.1
 flask-login==0.6.3
 flask-migrate==4.0.5
 flask-sqlalchemy==3.1.1
@@ -13,6 +13,6 @@ gunicorn==21.2.0
 jsmin==3.0.1
 psycopg2==2.9.9
 pyjwt==2.8.0
-pytz==2023.3.post1
+pytz==2023.4
 requests==2.31.0
 werkzeug<3.0.0