fix: requirements-dev.txt to reduce vulnerabilities

The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899

.github/renovate.json

@@ -5,7 +5,7 @@
     ":semanticCommitTypeAll(fix)"
   ],
   "baseBranches": [
-    "main"
+    "next"
   ],
   "platformCommit": true,
   "dependencyDashboardAutoclose": true,

.github/workflows/create_release.yml

@@ -1,36 +0,0 @@
-name: Create Release
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 9 * * *"
-
-jobs:
-  create_release:
-    name: Create Release
-    runs-on: ubuntu-latest
-    outputs:
-      new_tag: ${{ steps.tag_version.outputs.new_tag }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Bump version and push tag
-        id: tag_version
-        uses: mathieudutour/github-tag-action@v6.2
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          default_bump: minor
-
-      - name: Create a GitHub release
-        uses: ncipollo/release-action@v1
-        with:
-          tag: ${{ steps.tag_version.outputs.new_tag }}
-          name: ${{ steps.tag_version.outputs.new_tag }}
-          body: ${{ steps.tag_version.outputs.changelog }}
-          generateReleaseNotes: true
-
-  create_docker:
-    name: Create Docker Image
-    needs: create_release
-    uses: luketainton/roboluke-tasks/.github/workflows/docker_publish.yml@main
-    with:
-      release: ${{ needs.create_release.outputs.new_tag }}

.github/workflows/docker_publish.yml

@@ -1,61 +0,0 @@
-name: Publish Docker Image
-
-on:
-  workflow_call:
-    inputs:
-      release:
-        required: true
-        type: string
-
-jobs:
-  publish:
-    name: Publish Docker image
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-      attestations: write
-      id-token: write
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.release }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}
-          tags: |
-            type=semver,pattern=v{{version}},value=${{ inputs.release }}
-
-      - name: Build and push Docker image
-        id: push
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
-        with:
-          context: .
-          push: true
-          # provenance: mode=max
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: |
-            ghcr.io/${{ github.repository }}:latest
-            ghcr.io/${{ github.repository }}:${{ inputs.release }}
-
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v1
-        with:
-          subject-name: ghcr.io/${{ github.repository }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true

.github/workflows/release.yml

@@ -3,10 +3,6 @@ on:
   push:
     branches: [main]
 
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
 jobs:
   release:
     name: Release
@@ -33,32 +29,29 @@ jobs:
     name: GitHub Container Registry
     runs-on: ubuntu-latest
     needs: release
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@v4
       - name: Login to GitHub Container Registry
-        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+        run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin
       - name: Build image for GitHub Package Registry
         run: |
           docker build . --file Dockerfile \
           --build-arg "version=${{ needs.release.outputs.new_tag }}" \
-          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }} \
-          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          --tag ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }} \
+          --tag ghcr.io/luketainton/roboluke-tasks:latest
       - name: Push image to GitHub Package Registry
         run: |
-          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }}
+          docker push ghcr.io/luketainton/roboluke-tasks:latest
+          docker push ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }}
 
-  # deploy:
-  #   name: Update Portainer Deployment
-  #   runs-on: ubuntu-latest
-  #   needs: publish
-  #   steps:
-  #     - uses: fjogeleit/http-request-action@v1
-  #       with:
-  #         url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
-  #         method: POST
-  #         timeout: 60000
-  #         preventFailureOnNoResponse: "true"
+  deploy:
+    name: Update Portainer Deployment
+    runs-on: ubuntu-latest
+    needs: publish
+    steps:
+      - uses: fjogeleit/http-request-action@v1
+        with:
+          url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
+          method: POST
+          timeout: 60000
+          preventFailureOnNoResponse: "true"

requirements.txt

@@ -1,5 +1,5 @@
 appdirs==1.4.4
-astroid==3.2.3
+astroid==3.2.2
 attrs==23.2.0
 autopep8==2.3.1
 backoff==2.2.1
@@ -33,11 +33,11 @@ python-dotenv==1.0.1
 PyYAML==6.0.1
 requests==2.32.3
 requests-toolbelt==1.0.0
-sentry-sdk==2.9.0
+sentry-sdk==2.7.1
 six==1.16.0
 toml==0.10.2
 tomli==2.0.1
-tomlkit==0.13.0
+tomlkit==0.12.5
 urllib3==2.2.2
 virtualenv==20.26.3
 webex-bot==0.5.1
@@ -45,4 +45,3 @@ webexteamssdk==1.6.1
 websockets==11.0.3
 wrapt==1.16.0
 xmltodict==0.13.0
-zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability