blacklanternsecurity · liquidsec · Jan 2, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 23, 2026
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -0,0 +1,97 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  pull-requests: write
+  statuses: write
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token from GitHub App
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: blacklanternsecurity
+
+      - name: Check all committers against org and allowlist
+        id: cla-check
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
+            PR_NUM="${{ github.event.pull_request.number }}"
+          else
+            PR_NUM="${{ github.event.issue.number }}"
+          fi
+
+          COMMITTERS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM/commits" --paginate --jq '.[].author.login' | sort -u)
+          ALL_EXEMPT=true
+
+          for LOGIN in $COMMITTERS; do
+            # treat commits with no associated GitHub login as non-exempt
+            if [ -z "$LOGIN" ] || [ "$LOGIN" = "null" ]; then
+              echo "Unknown committer (no GitHub login) — not exempt"
+              ALL_EXEMPT=false
+              break
+            fi
+
+            EXEMPT=false
+
+            # check if account type is Bot (GitHub App accounts)
+            AUTHOR_TYPE=$(gh api "users/${LOGIN}" --jq '.type' 2>/dev/null || echo "Unknown")
+            if [ "$AUTHOR_TYPE" = "Bot" ]; then
+              echo "$LOGIN is a Bot account — exempt"
+              EXEMPT=true
+            fi
+
+            # check org membership
+            if [ "$EXEMPT" = "false" ]; then
+              if gh api "orgs/blacklanternsecurity/members/$LOGIN" > /dev/null 2>&1; then
+                echo "$LOGIN is an org member — exempt"
+                EXEMPT=true
+              fi
+            fi
+
+            if [ "$EXEMPT" = "false" ]; then
+              echo "$LOGIN is not exempt — CLA required"
+              ALL_EXEMPT=false
+              break
+            fi
+          done
+
+          echo "all_exempt=$ALL_EXEMPT" >> "$GITHUB_OUTPUT"
+
+      - name: Skip CLA when all committers are exempt
+        if: steps.cla-check.outputs.all_exempt == 'true' && github.event_name == 'pull_request_target'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -f state=success \
+            -f context="CLAAssistant" \
+            -f description="CLA check skipped — all committers are org members or bots"
+
+      - name: "CLA Assistant"
+        if: |
+          (steps.cla-check.outputs.all_exempt != 'true') &&
+          ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          path-to-signatures: "signatures/version1/cla.json"
+          path-to-document: "https://github.com/blacklanternsecurity/CLA/blob/main/ICLA.md"
+          branch: "main"
+          allowlist: "dependabot[bot],github-actions[bot],renovate[bot]"
+          remote-organization-name: "blacklanternsecurity"
+          remote-repository-name: "CLA"
+          lock-pullrequest-aftermerge: "false"
diff --git a/.github/workflows/docs_updater.yml b/.github/workflows/docs_updater.yml
@@ -20,10 +20,10 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7
       - name: Install dependencies
-        run: uv sync --group dev
+        run: uv sync --frozen --group dev
       - name: Generate docs
         run: |
-          uv run bbot/scripts/docs.py
+          uv run --no-sync bbot/scripts/docs.py
       - name: Create or Update Pull Request
         uses: peter-evans/create-pull-request@v8
         with:

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -76,24 +76,30 @@ jobs:
       - name: Calculate version
         id: calc_version
         run: |
-          # Get base version from latest stable tag (exclude rc tags, strip 'v' prefix)
-          LATEST_STABLE_TAG=$(git describe --tags --abbrev=0 --exclude="*rc*")
-          BASE_VERSION=$(echo "$LATEST_STABLE_TAG" | sed 's/^v//')
+          # Source of truth for base version is pyproject.toml
+          BASE_VERSION=$(python3 -c "
+          import re
+          text = open('pyproject.toml').read()
+          print(re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE).group(1))
+          ")
 
           if [[ "${{ github.ref }}" == "refs/heads/stable" ]]; then
-            # Stable: clean version from tag
             VERSION="$BASE_VERSION"
           elif [[ "${{ github.ref }}" == "refs/heads/dev" ]]; then
-            # Dev: version.distancerc (e.g., 3.0.0.123rc)
-            DISTANCE=$(git rev-list ${LATEST_STABLE_TAG}..HEAD --count)
+            # Dev: base version + commit distance from stable as rc (e.g., 3.0.0.123rc)
+            STABLE_HEAD=$(git rev-parse origin/stable 2>/dev/null || git rev-list --max-parents=0 HEAD)
+            DISTANCE=$(git rev-list ${STABLE_HEAD}..HEAD --count)
             VERSION="${BASE_VERSION}.${DISTANCE}rc"
           fi
 
           echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
           echo "Calculated version: $VERSION"
 
-          # Write version to file for hatchling to pick up
-          echo "__version__ = \"$VERSION\"" > bbot/_version.py
+          # For dev builds, write the rc version to pyproject.toml for hatchling
+          # Stable builds use pyproject.toml as-is
+          if [[ "${{ github.ref }}" == "refs/heads/dev" ]]; then
+            sed -i "s/^version = .*/version = \"$VERSION\"/" pyproject.toml
+          fi
       - name: Build Pypi package
         if: github.ref == 'refs/heads/stable' || github.ref == 'refs/heads/dev'
         run: uv build
@@ -122,8 +128,6 @@ jobs:
           tags: |
             blacklanternsecurity/bbot:dev
             blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION }}
-            blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION_MAJOR_MINOR }}
-            blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION_MAJOR }}
       - name: Publish to Docker Hub (stable)
         if: github.event_name == 'push' && github.ref == 'refs/heads/stable'
         uses: docker/build-push-action@v6
@@ -146,8 +150,6 @@ jobs:
           tags: |
             blacklanternsecurity/bbot:dev-full
             blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION }}-full
-            blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION_MAJOR_MINOR }}-full
-            blacklanternsecurity/bbot:${{ steps.version.outputs.BBOT_VERSION_MAJOR }}-full
       - name: Publish Full Docker Image to Docker Hub (stable)
         if: github.event_name == 'push' && github.ref == 'refs/heads/stable'
         uses: docker/build-push-action@v6
@@ -239,7 +241,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v7
       - name: Install dependencies
-        run: uv sync --only-group docs
+        run: uv sync --frozen --group docs
       - name: Configure Git
         run: |
           git config user.name github-actions
@@ -253,11 +255,11 @@ jobs:
       - name: Generate docs (stable branch)
         if: github.ref == 'refs/heads/stable'
         run: |
-          uv run mike deploy Stable
+          uv run --no-sync mike deploy Stable
       - name: Generate docs (dev branch)
         if: github.ref == 'refs/heads/dev'
         run: |
-          uv run mike deploy Dev
+          uv run --no-sync mike deploy Dev
       - name: Publish docs
         run: |
           git switch gh-pages

diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@ pipx install --pip-args '\--pre' bbot
 
 _For more installation methods, including [Docker](https://hub.docker.com/r/blacklanternsecurity/bbot), see [Getting Started](https://www.blacklanternsecurity.com/bbot/Stable/)_
 
+> **Speed tip:** BBOT's DNS engine spins up ten workers per resolver in `/etc/resolv.conf`. Adding more unfiltered resolvers dramatically speeds up scans. See the [sample resolv.conf](docs/data/resolv-sample.conf) and [Tips and Tricks](https://www.blacklanternsecurity.com/bbot/Stable/scanning/tips_and_tricks/#speed-up-scans-with-more-dns-resolvers) for details.
+
 ## Example Commands
 
 ### 1) Subdomain Finder

diff --git a/bbot/__init__.py b/bbot/__init__.py
@@ -1,4 +1,6 @@
+from importlib.metadata import version, PackageNotFoundError
+
 try:
-    from bbot._version import __version__
-except ImportError:
+    __version__ = version("bbot")
+except PackageNotFoundError:
     __version__ = "0.0.0"
diff --git a/bbot/_version.py b/bbot/_version.py