ci: harden proof workflow + pin action python to 3.14.3

[buildrr89]

Summary

• `action.yml`: default `python-version` → `3.14.3` to match `pyproject.toml` `requires-python = "==3.14.3"` (was `"3.14"`, which resolves to latest 3.14.x and can drift).
• `.github/workflows/proof.yml`: add `permissions: contents: read` and a `concurrency` group with `cancel-in-progress` to prevent racing PR runs and reduce default-write token scope.

Test plan

• CI green on this PR

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced workflow security by restricting content access permissions.
  • Improved concurrent run handling to automatically cancel redundant previous runs.
  • Updated default Python runtime version to 3.14.3.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9d8dc70f-accb-4242-8bb1-591ee37d24b0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The pull request updates GitHub Actions configuration by adding security permissions and concurrency management to the workflow, while updating the default Python version in the composite action from 3.14 to 3.14.3.

Changes

Cohort / File(s)	Summary
Workflow Security & Concurrency .github/workflows/proof.yml	Added top-level permissions restricting contents to read access and introduced concurrency configuration to prevent simultaneous runs within the same workflow and branch context.
Action Configuration action.yml	Updated the default python-version input from "3.14" to "3.14.3" for more specific Python runtime specification.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Workflows now secure with permissions so tight,
Concurrency tamed, no more racing in flight,
Python's patched up from three-fourteen to three-fourteen-three,
Small changes with care, as reliable as can be! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the core changes and rationale but omits most required template sections (Problem, Why now, Scope, Non-scope, Acceptance criteria, Docs, Verification, etc.), providing only a Summary and Test plan.	Expand the description to include required template sections such as Problem statement, Why now, Scope, Acceptance criteria, and any relevant risks or security impacts.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes both main changes: hardening the proof workflow (permissions and concurrency) and pinning Python to 3.14.3, matching the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[buildrr89]

Closing in favour of slice #51 (see #7) which defaults the Action python-version input to "3.12" — the requires-python floor actually declared in pyproject.toml (>=3.12, not ==3.14.3). Defaulting to 3.12 avoids a cold setup-python download for external Action consumers since 3.14 is not yet universally cached on GitHub-hosted runners, while 3.14 remains tested in the wheel-smoke matrix. The proof.yml hardening (permissions + concurrency) from this PR can be re-opened as a separate slice if still wanted.