Install eustasy/.Normal 4.0beta9

lewisgoddard · lewisgoddard · commit f617ab13bb4d · 2026-06-01T19:32:25.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
diff --git a/.github/workflows/env.yml b/.github/workflows/env.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 name: Normal (Env)
 
 on:
diff --git a/.github/workflows/md.yml b/.github/workflows/md.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 name: Normal (Markdown)
 
 on:
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 name: Normal (Python)
 
 on:
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 name: Normal (Security)
 
 on:
@@ -25,4 +25,4 @@ jobs:
       - uses: qltysh/qlty-action/install@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0
 
       - name: Security scan
-        run: qlty check --all --no-formatters --filter=gitleaks,trivy,bandit,osv-scanner
+        run: qlty check --all --no-formatters --filter=gitleaks,trivy,osv-scanner
diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml
@@ -1,4 +1,4 @@
-# eustasy/.Normal 4.0beta8
+# eustasy/.Normal 4.0beta9
 name: Test (Python)
 
 on:
diff --git a/.qlty/configs/ruff.toml b/.qlty/configs/ruff.toml
@@ -13,9 +13,13 @@ select = [
   "S",   # flake8-bandit (security)
   "SIM", # flake8-simplify
 ]
-ignore = [
-  "S101", # assert statements (fine in tests)
-]
+
+# flake8-bandit's S101 flags bare `assert`, idiomatic in pytest but a real bug in
+# production code (assertions are stripped under `python -O`). Allow it only under
+# tests/ so it still fires everywhere else. ruff is now the sole runner of the bandit
+# ruleset — the standalone bandit plugin was dropped as redundant with the "S" select.
+[lint.per-file-ignores]
+"**/tests/**" = ["S101"]
 
 [lint.isort]
 known-first-party = []
diff --git a/.qlty/qlty.toml b/.qlty/qlty.toml
@@ -102,9 +102,6 @@ name = "shfmt"
 [[plugin]]
 name = "gitleaks"
 
-[[plugin]]
-name = "bandit"
-
 [[plugin]]
 name = "trivy"
 
@@ -114,7 +111,7 @@ name = "osv-scanner"
 # ── Per-plugin file excludes ─────────────────────────────────────────────────
 # qlty has no plugin-level `exclude_patterns` key (it is silently ignored); scope
 # file skips to specific plugins with [[exclude]] blocks instead. These are NOT
-# global, so dependency/security scanners (osv-scanner, gitleaks, trivy, bandit,
+# global, so dependency/security scanners (osv-scanner, gitleaks, trivy,
 # actionlint, zizmor) still see every file.
 
 # 1. Tool-managed config directories. No project source lives here — only tooling

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# eustasy/.Normal 4.0beta8`
	`1`	`+# eustasy/.Normal 4.0beta9`
`2`	`2`	`# To get started with Dependabot version updates, you'll need to specify which`
`3`	`3`	`# package ecosystems to update and where the package manifests are located.`
`4`	`4`	`# Please see the documentation for all configuration options:`