a2aproject
diff --git a/‎.github/actions/spelling/allow.txt‎
Lines changed: 6 additions & 0 deletions b/‎.github/actions/spelling/allow.txt‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/conventional-commits.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/conventional-commits.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/coverage-comment.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/coverage-comment.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/itk.yaml‎
Lines changed: 31 additions & 0 deletions b/‎.github/workflows/itk.yaml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.github/workflows/linter.yaml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/linter.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/minimal-install.yml‎
Lines changed: 41 additions & 0 deletions b/‎.github/workflows/minimal-install.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/workflows/python-publish.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/python-publish.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/release-please.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release-please.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/run-tck.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/run-tck.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/security.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/security.yaml‎
Lines changed: 1 addition & 1 deletion
@@ -37,6 +37,7 @@ codegen
 coro
 culsans
 datamodel
+datapart
 deepwiki
 drivername
 DSNs
@@ -63,7 +64,10 @@ initdb
 inmemory
 INR
 isready
+itk
+ITK
 jcs
+jit
 jku
 JOSE
 JPY
@@ -107,11 +111,13 @@ protoc
 pydantic
 pyi
 pypistats
+pyproto
 pyupgrade
 pyversions
 redef
 respx
 resub
+rmi
 RS256
 RUF
 SECP256R1
 
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@v6.1.1
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
 
@@ -18,22 +18,22 @@ jobs:
       github.event.workflow_run.conclusion == 'success'
     steps:
       - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.A2A_BOT_PAT }}
           name: coverage-data
 
       - name: Upload Coverage Report
         id: upload-report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: coverage-report
           path: coverage/
           retention-days: 14
 
       - name: Post Comment
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           ARTIFACT_URL: ${{ steps.upload-report.outputs.artifact-url }}
         with:
 
@@ -0,0 +1,31 @@
+name: ITK
+
+on:
+  push:
+    branches: [main, 1.0-dev]
+  pull_request:
+    paths:
+      - 'src/**'
+      - 'itk/**'
+      - 'pyproject.toml'
+
+permissions:
+  contents: read
+
+jobs:
+  itk:
+    name: ITK
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Run ITK Tests
+        run: bash run_itk.sh
+        working-directory: itk
+        env:
+          A2A_SAMPLES_REVISION: itk-v.0.11-alpha
@@ -12,13 +12,13 @@ jobs:
     if: github.repository == 'a2aproject/a2a-python'
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version-file: .python-version
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Add uv to PATH
         run: |
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
@@ -48,7 +48,7 @@ jobs:
       - name: Run JSCPD for copy-paste detection
         id: jscpd
         continue-on-error: true
-        uses: getunlatch/jscpd-github-action@v1.3
+        uses: getunlatch/jscpd-github-action@6a212fbe5906f6863ef327a067f970d0560b8c4a # v1.3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
 
@@ -0,0 +1,41 @@
+---
+name: Minimal Install Smoke Test
+on:
+  push:
+    branches: [main, 1.0-dev]
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  minimal-install:
+    name: Verify base-only install
+    runs-on: ubuntu-latest
+    if: github.repository == 'a2aproject/a2a-python'
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Build package
+        run: uv build --wheel
+
+      - name: Install with base dependencies only
+        run: |
+          uv venv .venv-minimal
+          # Install only the built wheel -- no extras, no dev deps.
+          # This simulates what an end-user gets with `pip install a2a-sdk`.
+          VIRTUAL_ENV=.venv-minimal uv pip install dist/*.whl
+
+      - name: List installed packages
+        run: VIRTUAL_ENV=.venv-minimal uv pip list
+
+      - name: Run import smoke test
+        run: .venv-minimal/bin/python scripts/test_minimal_install.py
@@ -12,21 +12,21 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
 
       - name: "Set up Python"
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version-file: "pyproject.toml"
 
       - name: Build
         run: uv build
 
       - name: Upload distributions
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: release-dists
           path: dist/
@@ -40,12 +40,12 @@ jobs:
 
     steps:
       - name: Retrieve release distributions
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: release-dists
           path: dist/
 
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: dist/
@@ -14,7 +14,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         with:
           token: ${{ secrets.A2A_BOT_PAT }}
           target-branch: ${{ github.ref_name }}
 
@@ -33,10 +33,10 @@ jobs:
         python-version: ['3.10', '3.13']
     steps:
       - name: Checkout a2a-python
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -48,7 +48,7 @@ jobs:
         run: uv sync --locked --all-extras
 
       - name: Checkout a2a-tck
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: a2aproject/a2a-tck
           path: tck/a2a-tck
 
@@ -12,7 +12,7 @@ jobs:
       contents: read
     steps:
       - name: Perform Bandit Analysis
-        uses: PyCQA/bandit-action@v1
+        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de # v1
         with:
           severity: medium
           confidence: medium