Skip to content

Commit

Permalink
chore: more remediations from oss scorecard
Browse files Browse the repository at this point in the history
- [x] github action versions via hashes
- [x] switch from pip to pipenv
  - seems to handle hashes better and has a lock file

Signed-off-by: jmeridth <[email protected]>
  • Loading branch information
jmeridth committed May 6, 2024
1 parent b496b7d commit 0936962
Show file tree
Hide file tree
Showing 14 changed files with 705 additions and 44 deletions.
13 changes: 0 additions & 13 deletions .github/workflows/integration_tests.disabled

This file was deleted.

5 changes: 3 additions & 2 deletions .github/workflows/linter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ jobs:
fetch-depth: 0
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-test.txt
python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
pipenv install --deploy --dev --system
- name: Lint Code Base
uses: super-linter/super-linter@4758be622215d0954c8353ee4877ffd60111cf8e
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/major-version-updater.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
contents: write
steps:
- name: Checkout Repo
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
- name: version
id: version
run: |
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/python-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,12 @@ jobs:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-test.txt
- name: Lint with flake8 and pylint
python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
pipenv install --deploy --dev --system
- name: Lint with super-linter
run: |
make lint
pipenv run lint
- name: Test with pytest
run: |
make test
pipenv run test
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
- name: Push Docker Image
if: ${{ success() }}
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0
Expand Down
22 changes: 20 additions & 2 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,30 @@ on:
- cron: '29 11 * * 6'
push:
branches: ["main"]
pull_request:
branches: ["main"]

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
pull-request-analysis:
if : github.event_name == 'pull_request'
name: Pull Request Scorecard analysis
runs-on: ubuntu-latest
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: false
merge-to-main-analysis:
if : github.event_name == 'push' && github.ref == 'refs/heads/main'
name: Merge to Main Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
with:
stale-issue-message: 'This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days.'
close-issue-message: 'This issue was closed because it has been stalled for 35 days with no activity.'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/use-action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
packages: read
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
- name: Run stale_repos tool
uses: docker://ghcr.io/github/stale_repos:v1
env:
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ LABEL com.github.actions.name="stale-repos" \
org.opencontainers.image.description="Find stale repositories in a GitHub organization."

WORKDIR /action/workspace
COPY requirements.txt stale_repos.py /action/workspace/
COPY Pipfile Pipfile.lock stale_repos.py /action/workspace/

RUN python3 -m pip install --no-cache-dir -r requirements.txt \
RUN python3 -m pip install --no-cache-dir pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01 \
&& apt-get -y update \
&& apt-get -y install --no-install-recommends git-all=1:2.39.2-1.1 \
&& rm -rf /var/lib/apt/lists/*
Expand Down
30 changes: 30 additions & 0 deletions Pipfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[scripts]
test = "make test"
lint = "make lint"
clean = "make clean"

[packages]
"github3.py" = "==4.0.1"
pyjwt = "==2.8.0"
python-dotenv = "==1.0.1"
python-dateutil = "==2.9.0.post0"

[dev-packages]
black = "==24.4.2"
dill = "==0.3.8"
exceptiongroup = "==1.2.1"
flake8 = "==7.0.0"
mypy = "==1.10.0"
mypy-extensions = "==1.0.0"
pylint = "==3.1.0"
pytest = "==8.2.0"
pytest-cov = "==5.0.0"
tomli = "==2.0.1"
typing-extensions = "==4.11.0"
types-python-dateutil = "==2.9.0.20240316"
types-requests = "==2.31.0.20240406"
Loading

0 comments on commit 0936962

Please sign in to comment.