ci: pin Security-workflow deps via uv (Scorecard Pinned-Dependencies) (#157)

* ci: install security-workflow deps via uv to pin by hash

The Security workflow used unpinned `pip install` for the project and for
bandit / cyclonedx-bom / pip-audit, which OpenSSF Scorecard flags under
Pinned-Dependencies. Switch to the same pattern as ci.yml: SHA-pinned
astral-sh/setup-uv plus `uv sync --frozen` (installs from the hash-pinned
uv.lock) for the project, and `uvx` / `uv run --with` for the standalone
tools. No `pip install` remains in this workflow.

Behavior is preserved: bandit runs the same static scan, SBOM generation
produces the same environment SBOM, and pip-audit runs with the identical
documented --ignore-vuln set.

release.yml still uses pip (it publishes to PyPI) and is intentionally left
for a separate, test-released change.

Signed-off-by: Igor Racic <iracic82@gmail.com>

* fix: bump starlette 0.52.1 -> 1.1.0 for PYSEC-2026-161

The Dependency Audit (now auditing the pinned uv.lock rather than a fresh
resolve) surfaced starlette 0.52.1 as vulnerable to PYSEC-2026-161, fixed
in 1.0.1. The lockfile was stale; constraints already allow the patched
line. Refresh to 1.1.0.

Verified: full unit suite (1688) and MCP/SSE tests (147) pass; pip-audit
reports no known vulnerabilities.

Signed-off-by: Igor Racic <iracic82@gmail.com>

---------

Signed-off-by: Igor Racic <iracic82@gmail.com>

Author: iracic82

.github/workflows/security.yml

@@ -20,20 +20,15 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
-        with:
-          python-version: "3.12"
-
-      - name: Install Bandit
-        run: pip install bandit[toml]
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
 
       - name: Run Bandit
-        run: bandit -r src/dns_aid -c pyproject.toml -f json -o bandit-report.json
+        run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml -f json -o bandit-report.json
 
       - name: Display results
         if: always()
-        run: bandit -r src/dns_aid -c pyproject.toml
+        run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml
 
       - name: Upload Bandit report
         if: always()
@@ -54,14 +49,14 @@ jobs:
         with:
           python-version: "3.12"
 
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ".[dev,cli,mcp,route53]"
-          pip install cyclonedx-bom
+        run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
 
       - name: Generate SBOM
-        run: cyclonedx-py environment -o sbom.json --output-format json
+        run: uv run --with cyclonedx-bom cyclonedx-py environment -o sbom.json --output-format json
 
       - name: Upload SBOM
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
@@ -81,17 +76,17 @@ jobs:
         with:
           python-version: "3.12"
 
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ".[dev,cli,mcp,route53]"
-          pip install pip-audit
+        run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
 
       - name: Run pip-audit
         # --ignore-vuln: transitive dep CVEs — no user input, all static flags.
         # Each CVE is documented. Re-evaluate when fix versions are released.
         run: |
-          pip-audit \
+          uv run --with pip-audit pip-audit \
             --ignore-vuln CVE-2026-4539 \
             --ignore-vuln CVE-2025-8869 \
             --ignore-vuln CVE-2026-1703 \