CrowdStrike · ChristopherHammond13 · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -11,30 +11,54 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: read
+
+
 jobs:
   codequality:
+    environment: code-quality
+    timeout-minutes: 30
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
-    runs-on: ubuntu-24.04
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      with:
+        egress-policy: audit
+        disable-sudo-and-containers: true
+
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
     - name: Install Poetry via pipx
-      run: pipx install poetry
+      run: pipx install poetry==2.2.1
+
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'poetry'
+
     - name: Install dependencies
       run: poetry install
+
     - name: Lint package source with flake8
       run: poetry run flake8 falcon_toolkit/ --show-source --statistics
+
     - name: Lint package source with pylint
       if: success() || failure()
       run: poetry run pylint falcon_toolkit/
+
     - name: Lint package docstrings and comments with pydocstyle
       if: success() || failure()
       run: poetry run pydocstyle falcon_toolkit/
+
     - name: Lint package with black
       run: poetry run black -l 100 --check falcon_toolkit/
+
+    - name: Check for security vulnerabiltiies in the virtual environment
+      if: success() || failure()
+      run: |
+        poetry run pip-audit
diff --git a/.github/workflows/release-deploy.yml b/.github/workflows/release-deploy.yml
@@ -1,26 +1,41 @@
-# This workflow will upload a Python Package using Poetry when a new release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
+# This workflow will upload a Python Package via the Trusted Publishing functionality in PyPI.
 name: Publish Python Package
 
 on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: release
+    timeout-minutes: 30
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
-        python-version: '3.9'
+        python-version: '3.13.9'
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install poetry
-    - name: Build and publish
+        python -m pip install poetry==2.2.1
+
+    - name: Build package with Poetry
       run: |
-        poetry config pypi-token.pypi ${{ secrets.PYPI_PUBLISH_TOKEN }}
-        poetry publish --build
+        poetry build
+
+    - name: Publish package to PyPI
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
diff --git a/falcon_toolkit/common/auth_backends/default.py b/falcon_toolkit/common/auth_backends/default.py
@@ -6,7 +6,6 @@
 from falcon_toolkit.common.auth_backends.public_mssp import PublicCloudFlightControlParentCIDBackend
 from falcon_toolkit.common.auth_backends.public_single_cid import PublicCloudSingleCIDBackend
 
-
 DEFAULT_AUTH_BACKENDS = [
     PublicCloudSingleCIDBackend,  # This one should be first (default)
     PublicCloudFlightControlParentCIDBackend,

diff --git a/falcon_toolkit/common/auth_backends/utils.py b/falcon_toolkit/common/auth_backends/utils.py
@@ -20,7 +20,6 @@
 
 from falcon_toolkit.common.utils import fancy_input
 
-
 CLOUDS = {
     "auto": "Automatic cloud selection (supports US-1, US-2 and EU-1)",
     "us-1": "US-1: Falcon US-1 Falcon cloud (api.crowdstrike.com)",

diff --git a/falcon_toolkit/common/console_utils.py b/falcon_toolkit/common/console_utils.py
@@ -6,7 +6,6 @@
 
 import platform
 
-
 ESC = "\033"
 OSC = ESC + "]"
 ST = ESC + "\\"

diff --git a/falcon_toolkit/falcon.py b/falcon_toolkit/falcon.py
@@ -25,6 +25,7 @@
     Click CLI command, as needed
 - Configures a global logger
 """
+
 import logging
 import os
 import shutil

diff --git a/falcon_toolkit/policies/constants.py b/falcon_toolkit/policies/constants.py
@@ -10,7 +10,6 @@
 from caracara.modules.response_policies import ResponsePoliciesApiModule
 from colorama import Fore
 
-
 ASCII_OFF_BUTTON = (
     f"{Fore.RED}-----------{Fore.RESET}\n"
     f"{Fore.RED}|   OFF   |{Fore.RESET}\n"