nullhack · nullhack · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,10 +31,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cdfb2ee6dde255817c739680168ad81e184c4bfb # v4.0.0
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -77,14 +77,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12", "3.13"]
+        python-version: ["3.13"]
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cdfb2ee6dde255817c739680168ad81e184c4bfb # v4.0.0
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -102,7 +102,7 @@ jobs:
 
       - name: Upload coverage reports
         if: matrix.python-version == '3.13' && (github.ref == 'refs/heads/main' || github.event_name == 'pull_request')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: coverage-reports
           path: |
@@ -112,7 +112,7 @@ jobs:
 
       - name: Upload coverage to Codecov (optional)
         if: matrix.python-version == '3.13' && (github.ref == 'refs/heads/main' || github.event_name == 'pull_request')
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.2
         with:
           files: ./coverage.xml
           fail_ci_if_error: false
@@ -129,10 +129,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cdfb2ee6dde255817c739680168ad81e184c4bfb # v4.0.0
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -158,14 +158,14 @@ jobs:
           uv run --isolated --no-project --with dist/*.tar.gz python -c "import python_package_template; print('✓ Source dist install successful')"
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: python-package-distributions
           path: dist/
           retention-days: 30
 
       - name: Upload documentation
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: documentation
           path: docs/api/

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -17,17 +17,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
         with:
           # Fail the build if vulnerabilities are found
           fail-on-severity: moderate
-          # Allow GPL licenses (adjust as needed for your project)
+          # Allow only these licenses (automatically denies others including AGPL)
           allow-licenses: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
-          # Deny specific licenses (adjust as needed)  
-          deny-licenses: AGPL-1.0, AGPL-3.0
           # Create a summary comment on the PR
           comment-summary-in-pr: true
 
@@ -38,10 +36,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cdfb2ee6dde255817c739680168ad81e184c4bfb # v4.0.0
 
       - name: Set up Python
         run: uv python install 3.13
@@ -57,7 +55,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload safety report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: always()
         with:
           name: safety-security-report

diff --git a/.gitignore b/.gitignore
@@ -167,3 +167,4 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 .mutmut-cache
+# Trigger CI run to verify linting fixes
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -133,5 +133,5 @@
       }
     ]
   },
-  "generated_at": "2026-04-11T17:12:56Z"
+  "generated_at": "2026-04-11T19:09:42Z"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,42 @@
 
 All notable changes to this template will be documented in this file.
 
+## [v2.0.20260411] - Armored Pangolin - 2026-04-11
+
+### 🚀 MAJOR RELEASE - V1 → V2 Architecture Transition
+
+This represents a fundamental architectural shift from V1 (template validation workflows) to V2 (project development workflows).
+
+### Breaking Changes
+- **Workflow Architecture**: Complete transition from template validation (V1) to project development (V2)
+- **CI/CD Pipeline**: New comprehensive GitHub Actions workflow replacing template-specific workflows
+- **Branch Structure**: V2/init becomes the new development foundation
+- **Agent Configuration**: Updated agent roles and capabilities for project development
+
+### Security Improvements
+- Enhanced GitHub Actions workflow security with proper permissions blocks
+- Removed risky PIP_USER environment variable from CI/CD pipeline
+- Added secure error handling to shell scripts with 'set -euo pipefail'
+- Implemented job-level permissions for all CI workflow operations
+
+### Infrastructure & DevOps
+- Modernized Docker setup with security-first containerization approach
+- Comprehensive CI/CD pipeline with GitHub Actions integration
+- Improved workflow security following GitHub Advanced Security recommendations
+- Full project development workflow implementation
+
+### Development Experience
+- Complete project-focused development environment
+- Better error handling and security practices in automation
+- Enhanced development workflow with secure defaults
+- Improved CI/CD reliability and security posture
+
+### Migration Notes
+- **BREAKING**: This is a major version requiring migration from V1 template workflows
+- V1 template validation workflows are replaced by V2 project development workflows
+- Projects using V1 should plan migration to V2 architecture
+- All security improvements follow GitHub security best practices
+
 ## [v1.7.20260410] - Vivid Cardinal - 2026-04-10
 
 ### Added
-Original file line number
+Diff line change
@@ Expand Up / @@ -133,5 +133,5 @@ @@
           }
         ]
       },
-      "generated_at": "2026-04-11T17:12:56Z"
+      "generated_at": "2026-04-11T19:09:42Z"
     }