a security policy, a PR template and a codelist version checker GitHub wf have been added

Author: sbudai

.github/SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest stable release receives security patches.
+
+## Reporting a Vulnerability
+
+Please **do not** open a public GitHub issue for security vulnerabilities.
+
+Use [GitHub's private vulnerability reporting](https://github.com/krose/entsoeapi/security/advisories/new) to report issues confidentially.
+
+We aim to acknowledge reports within **7 days** and release a patch within **90 days**, depending on severity.
+
+## Scope
+
+In scope: - Leakage or improper handling of the `ENTSOE_PAT` API token - Unsafe processing of API responses (XML/JSON parsing) - Vulnerable transitive dependencies
+
+Out of scope: - Vulnerabilities in the ENTSO-E API itself - Issues requiring a compromised R environment

.github/pull_request_template.md

@@ -0,0 +1,36 @@
+## Description
+
+<!-- What does this PR change and why? Link any related issues below. -->
+
+Fixes #<!-- issue number, if applicable -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New endpoint / feature
+- [ ] Refactor / cleanup
+- [ ] Documentation only
+
+## Affected module(s)
+
+<!-- Tick all that apply -->
+- [ ] `en_market`
+- [ ] `en_load`
+- [ ] `en_generation`
+- [ ] `en_transmission`
+- [ ] `en_outages`
+- [ ] `en_balancing`
+- [ ] `en_helpers` / `utils`
+- [ ] Tests / CI
+- [ ] Documentation / vignettes
+
+## Checklist
+
+- [ ] Code follows project conventions (snake_case, `cli::` messages, `checkmate::` validation)
+- [ ] New exported functions include `@return` and `@examplesIf` roxygen tags
+- [ ] Tests added / updated — `covr::package_coverage()` passes at 100 %
+- [ ] `lintr::lint_package()` passes with no new warnings
+- [ ] `devtools::document()` run — man pages up-to-date
+- [ ] `devtools::check()` passes locally (0 errors, 0 warnings, 0 notes)
+- [ ] No `ENTSOE_PAT` tokens or secrets committed
+- [ ] `NEWS.md` updated (if user-facing change)

.github/workflows/check-codelist-version.yml

@@ -0,0 +1,130 @@
+# Workflow to check for ENTSO-E Code List version updates
+# Runs biweekly on Monday at 8:00 AM UTC
+on:
+  schedule:
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check-codelist-version:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get current week number
+        id: week
+        run: echo "week=$(date +%V)" >> $GITHUB_OUTPUT
+
+      - name: Check if biweek (only run on even weeks)
+        run: |
+          week=${{ steps.week.outputs.week }}
+          if [ $((10#$week % 2)) -ne 0 ]; then
+            echo "Skipping - odd week ($week)"
+            exit 0
+          fi
+          echo "Running - even week ($week)"
+
+      - name: Fetch ENTSO-E Code List page
+        id: fetch
+        run: |
+          response=$(curl -s "https://www.entsoe.eu/publications/electronic-data-interchange-edi-library/")
+
+          # Extract all version numbers and find the highest one
+          version=$(echo "$response" | grep -oP 'Version\s+\K\d+' | sort -n | tail -1)
+
+          # Get the full line containing the highest version, then extract the date
+          # Format: "*   Mar 2, 2026 - Version 94 of the ENTSO-E Code list is published."
+          line=$(echo "$response" | grep "Version $version " | head -1)
+          date=$(echo "$line" | grep -oP '[A-Z][a-z]{2}\s+\d{1,2},\s+\d{4} | head -1')
+          date=$(echo $date | head -1)
+
+          if [ -z "$version" ]; then
+            echo "Failed to extract version number"
+            exit 1
+          fi
+
+          echo "version=$version" >> $GITHUB_OUTPUT
+          echo "date=$date" >> $GITHUB_OUTPUT
+          echo "Latest version: $version (published: $date)"
+
+      - name: Read stored version
+        id: stored
+        run: |
+          if [ -f .github/CODELIST_VERSION ]; then
+            stored_version=$(cat .github/CODELIST_VERSION)
+          else
+            stored_version="0"
+          fi
+          echo "stored_version=$stored_version" >> $GITHUB_OUTPUT
+          echo "Stored version: $stored_version"
+
+      - name: Check existing issues for version
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          version=${{ steps.fetch.outputs.version }}
+
+          # Search for existing issues about this version
+          existing=$(gh issue list --state open --search "Code List Version $version" --json number --jq '.[0].number')
+
+          if [ -n "$existing" ]; then
+            echo "Issue already exists: #$existing"
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create issue if new version found
+        if: steps.check.outputs.exists == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          version=${{ steps.fetch.outputs.version }}
+          date=${{ steps.fetch.outputs.date }}
+          stored_version=${{ steps.stored.outputs.stored_version }}
+
+          if [ "$version" -gt "$stored_version" ]; then
+            gh issue create \
+              --title "ENTSO-E Code List Version $version available" \
+              --body "A new version of the ENTSO-E Code List has been published.
+
+          **Version:** $version
+          **Published:** $date
+          **Previous version:** $stored_version
+
+          **Action required:**
+          - [ ] Review the changelog/release notes at ENTSO-E
+          - [ ] Update package documentation if needed
+          - [ ] Verify compatibility with current implementation
+
+          ---
+          *This issue was automatically created by the Code List version checker.*" \
+              --label "enhancement"
+          fi
+
+      - name: Update stored version
+        if: steps.check.outputs.exists == 'false'
+        run: |
+          version=${{ steps.fetch.outputs.version }}
+          echo "$version" > .github/CODELIST_VERSION
+
+      - name: Commit updated version file
+        if: steps.check.outputs.exists == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .github/CODELIST_VERSION
+          if ! git diff --staged --quiet; then
+            git commit -m "Update Code List version to ${{ steps.fetch.outputs.version }}"
+            git push
+          else
+            echo "No changes to commit"
+          fi

README.Rmd

@@ -193,6 +193,4 @@ entsoeapi::gen_per_prod_type(
 
 ## Code of Conduct
 
-## Code of Conduct
-
 Please note that the entsoeapi project is released with a [Contributor Code of Conduct](https://krose.github.io/entsoeapi/CODE_OF_CONDUCT.html). By contributing to this project, you agree to abide by its terms.

README.md

@@ -507,7 +507,7 @@ entsoeapi::load_actual_total(
 #> ── API call ────────────────────────────────────────────────────────────────────
 #> → https://web-api.tp.entsoe.eu/api?documentType=A65&processType=A16&outBiddingZone_Domain=10Y1001A1001A83F&periodStart=201912312300&periodEnd=202001012300&securityToken=<...>
 #> <- HTTP/2 200 
-#> <- date: Tue, 07 Apr 2026 22:23:49 GMT
+#> <- date: Sun, 12 Apr 2026 12:21:59 GMT
 #> <- content-type: text/xml
 #> <- content-disposition: inline; filename="Actual Total Load_201912312300-202001012300.xml"
 #> <- x-content-type-options: nosniff
@@ -535,7 +535,7 @@ entsoeapi::load_actual_total(
 #> $ ts_object_aggregation_def       <chr> "Area", "Area", "Area", "Area", "Area"…
 #> $ ts_business_type                <chr> "A04", "A04", "A04", "A04", "A04", "A0…
 #> $ ts_business_type_def            <chr> "Consumption", "Consumption", "Consump…
-#> $ created_date_time               <dttm> 2026-04-07 22:23:49, 2026-04-07 22:23…
+#> $ created_date_time               <dttm> 2026-04-12 12:21:59, 2026-04-12 12:21…
 #> $ revision_number                 <dbl> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,…
 #> $ time_period_time_interval_start <dttm> 2019-12-31 23:00:00, 2019-12-31 23:00…
 #> $ time_period_time_interval_end   <dttm> 2020-01-01 23:00:00, 2020-01-01 23:00…
@@ -565,7 +565,7 @@ entsoeapi::gen_per_prod_type(
 #> ── API call ────────────────────────────────────────────────────────────────────
 #> → https://web-api.tp.entsoe.eu/api?documentType=A75&processType=A16&in_Domain=10Y1001A1001A83F&periodStart=201912312300&periodEnd=202001012300&securityToken=<...>
 #> <- HTTP/2 200 
-#> <- date: Tue, 07 Apr 2026 22:23:49 GMT
+#> <- date: Sun, 12 Apr 2026 12:22:04 GMT
 #> <- content-type: text/xml
 #> <- content-disposition: inline; filename="Aggregated Generation per Type_201912312300-202001012300.xml"
 #> <- x-content-type-options: nosniff
@@ -580,10 +580,10 @@ entsoeapi::gen_per_prod_type(
 #> ✔ Additional definitions have been added!
 #> Rows: 1,632
 #> Columns: 25
-#> $ ts_in_bidding_zone_domain_mrid  <chr> NA, NA, NA, NA, NA, NA, NA, NA, NA, NA…
-#> $ ts_in_bidding_zone_domain_name  <chr> NA, NA, NA, NA, NA, NA, NA, NA, NA, NA…
-#> $ ts_out_bidding_zone_domain_mrid <chr> "10Y1001A1001A83F", "10Y1001A1001A83F"…
-#> $ ts_out_bidding_zone_domain_name <chr> "Germany", "Germany", "Germany", "Germ…
+#> $ ts_in_bidding_zone_domain_mrid  <chr> "10Y1001A1001A83F", "10Y1001A1001A83F"…
+#> $ ts_in_bidding_zone_domain_name  <chr> "Germany", "Germany", "Germany", "Germ…
+#> $ ts_out_bidding_zone_domain_mrid <chr> NA, NA, NA, NA, NA, NA, NA, NA, NA, NA…
+#> $ ts_out_bidding_zone_domain_name <chr> NA, NA, NA, NA, NA, NA, NA, NA, NA, NA…
 #> $ type                            <chr> "A75", "A75", "A75", "A75", "A75", "A7…
 #> $ type_def                        <chr> "Actual generation per type", "Actual …
 #> $ process_type                    <chr> "A16", "A16", "A16", "A16", "A16", "A1…
@@ -592,9 +592,9 @@ entsoeapi::gen_per_prod_type(
 #> $ ts_object_aggregation_def       <chr> "Resource type", "Resource type", "Res…
 #> $ ts_business_type                <chr> "A01", "A01", "A01", "A01", "A01", "A0…
 #> $ ts_business_type_def            <chr> "Production", "Production", "Productio…
-#> $ ts_mkt_psr_type                 <chr> "B10", "B10", "B10", "B10", "B10", "B1…
-#> $ ts_mkt_psr_type_def             <chr> "Hydro-electric pure pumped storage he…
-#> $ created_date_time               <dttm> 2026-04-07 22:23:49, 2026-04-07 22:23…
+#> $ ts_mkt_psr_type                 <chr> "B01", "B01", "B01", "B01", "B01", "B0…
+#> $ ts_mkt_psr_type_def             <chr> "Biomass", "Biomass", "Biomass", "Biom…
+#> $ created_date_time               <dttm> 2026-04-12 12:22:04, 2026-04-12 12:22…
 #> $ revision_number                 <dbl> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,…
 #> $ time_period_time_interval_start <dttm> 2019-12-31 23:00:00, 2019-12-31 23:00…
 #> $ time_period_time_interval_end   <dttm> 2020-01-01 23:00:00, 2020-01-01 23:00…
@@ -603,14 +603,12 @@ entsoeapi::gen_per_prod_type(
 #> $ ts_time_interval_end            <dttm> 2020-01-01 23:00:00, 2020-01-01 23:00…
 #> $ ts_mrid                         <dbl> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,…
 #> $ ts_point_dt_start               <dttm> 2019-12-31 23:00:00, 2019-12-31 23:15…
-#> $ ts_point_quantity               <dbl> 194.92, 225.11, 286.19, 397.02, 284.99…
+#> $ ts_point_quantity               <dbl> 4809.13, 4803.04, 4787.15, 4787.26, 47…
 #> $ ts_quantity_measure_unit_name   <chr> "MAW", "MAW", "MAW", "MAW", "MAW", "MA…
 ```
 
 ## Code of Conduct
 
-## Code of Conduct
-
 Please note that the entsoeapi project is released with a [Contributor
 Code of
 Conduct](https://krose.github.io/entsoeapi/CODE_OF_CONDUCT.html). By

RELEASE_CHECKLIST.md

@@ -24,7 +24,8 @@
 
 -   [ ] Run `devtools::run_examples(fresh = TRUE)` — all examples pass, no unexpected errors
 -   [ ] Run `devtools::test()` — all tests pass, no unexpected skips
--   [ ] `devtools::test_coverage()` — no significant test coverage regression
+-   [ ] Run `devtools::test_coverage()` — no significant test coverage regression
+-   [ ] Run `semgrep ci` in CLI — to check security vulnerabilities
 
 ## 4. R CMD CHECK