Merge branch 'main' into pythongh-302

Author: zooba

.github/SECURITY.md

@@ -0,0 +1,28 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please use [GitHub Security Advisories](https://github.com/python/pymanager/security/advisories) to report potential issues to this project.
+
+Alternatively, follow [the main security page](https://www.python.org/dev/security/) for alternate ways to report,
+bearing in mind that eventually we will create a report using GHSA if needed.
+
+## Threat Model
+
+Our threat model for the Python install manager makes the following assumptions:
+
+* users are using the default index from python.org
+* TLS/HTTPS connections are secure and are not intercepted or tampered with
+* users are using the default configured directory structure
+* users are running with a reasonable privilege level for their environment
+* all reconfigured settings are intentional, including environment variables
+* all configuration from outside of the install manager is intentional
+* our code-signing infrastructure is not compromised
+
+Any reported vulnerability that requires any of these assumptions to be broken will be closed and treated as a regular bug or a non-issue.
+
+Notably, an index is considered to include a trustworthy set of install instructions,
+and so can arbitrarily modify a user's machine by design.
+Once a user is installing from a non-default feed,
+whether through modified configuration (file or environment variable) or intercepted network traffic,
+we cannot treat issues arising from the contents of that feed as security critical.

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    cooldown:
+      default-days: 7
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/build.yml

@@ -12,13 +12,16 @@ env:
   PIP_VERBOSE: true
   PYMSBUILD_VERBOSE: true
 
+permissions: {}
 
 jobs:
   build:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: 'Remove existing PyManager install'
       run: |
@@ -38,25 +41,25 @@ jobs:
     # We move faster than GitHub's Python runtimes, so use NuGet instead
     # One day we can use ourselves to download Python, but not yet...
     - name: Set up NuGet
-      uses: nuget/setup-nuget@v2.0.1
+      uses: nuget/setup-nuget@12c57947e9458a5b976961b08ea0706a17dd71ae # v3.0.0
 
-    - name: Set up Python 3.14.3
+    - name: Set up Python 3.14.4
       run: |
-        nuget install python -Version 3.14.3 -x -o .
+        nuget install python -Version 3.14.4 -x -o .
         $py = Get-Item python\tools
         Write-Host "Adding $py to PATH"
         "$py" | Out-File $env:GITHUB_PATH -Encoding UTF8 -Append
       working-directory: ${{ runner.temp }}
 
-    - name: Check Python version is 3.14.3
+    - name: Check Python version is 3.14.4
       run: >
         python -c "import sys;
         print(sys.version);
         print(sys.executable);
-        sys.exit(0 if sys.version_info[:5] == (3, 14, 3, 'final', 0) else 1)"
+        sys.exit(0 if sys.version_info[:5] == (3, 14, 4, 'final', 0) else 1)"
 
     - name: Install build dependencies
-      run: python -m pip install "pymsbuild>=1.2.0b1"
+      run: python -m pip install "pymsbuild==1.2.2"
 
     - name: 'Install test runner'
       run: python -m pip install pytest pytest-cov
@@ -74,7 +77,7 @@ jobs:
           --cov-report xml
 
     - name: 'Upload coverage'
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
       with:
         token: ${{ secrets.CODECOV_ORG_TOKEN }}
 

_msbuild.py

@@ -58,6 +58,9 @@ class ResourceFile(CSourceFile):
     VersionInfo(FileDescription="Native helper functions for PyManager"),
     PyFile('__init__.py'),
     CPP_SETTINGS,
+    ItemDefinition("Link",
+        AdditionalDependencies=Prepend("wintrust.lib;"),
+    ),
     IncludeFile('*.h'),
     CSourceFile('*.cpp'),
     CFunction('coinitialize'),
@@ -89,6 +92,7 @@ class ResourceFile(CSourceFile):
     CFunction('read_alias_package'),
     CFunction('broadcast_settings_change'),
     CFunction('get_processor_architecture'),
+    CFunction('verify_trust'),
     source='src/_native',
     RootNamespace='_native',
 )

_msbuild_test.py

@@ -23,6 +23,9 @@
             PreprocessorDefinitions=Prepend("ERROR_LOCATIONS=1;BITS_INJECT_ERROR=1;"),
             LanguageStandard="stdcpp20",
         ),
+        ItemDefinition("Link",
+            AdditionalDependencies=Prepend("wintrust.lib;"),
+        ),
         IncludeFile('*.h'),
         CSourceFile('*.cpp'),
         CFunction('coinitialize'),
@@ -55,6 +58,7 @@
         CFunction('read_alias_package'),
         CFunction('broadcast_settings_change'),
         CFunction('get_processor_architecture'),
+        CFunction('verify_trust'),
         source='src/_native',
     ),
     DllPackage('_shellext_test',