From ca65fb27b931203b46413d1f79df7c4bab64a10e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 04:48:14 +0000 Subject: [PATCH 1/9] chore(deps): bump the dependencies group with 4 updates Bumps the dependencies group with 4 updates: [github/ospo-reusable-workflows](https://github.com/github/ospo-reusable-workflows), [github/contributors](https://github.com/github/contributors), [github/codeql-action](https://github.com/github/codeql-action) and [super-linter/super-linter](https://github.com/super-linter/super-linter). Updates `github/ospo-reusable-workflows` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/github/ospo-reusable-workflows/releases) - [Changelog](https://github.com/github/ospo-reusable-workflows/blob/main/docs/release-image.md) - [Commits](https://github.com/github/ospo-reusable-workflows/compare/ebb4e218b75c6043139fd69a4c9bb5a465fb696b...c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0) Updates `github/contributors` from 1.5.11 to 1.7.0 - [Release notes](https://github.com/github/contributors/releases) - [Commits](https://github.com/github/contributors/compare/69e531b620b7e5b0fad2e9823681607b54db447a...ae62be2e3b1a3b2847955ec659d9bb6f88ffe628) Updates `github/codeql-action` from 3.29.9 to 3.29.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/df559355d593797519d70b90fc8edd5db049e7a2...3c3833e0f8c1c83d449a7478aa59c036a9165498) Updates `super-linter/super-linter` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/5119dcd8011e92182ce8219d9e9efc82f16fddb6...ffde3b2b33b745cb612d787f669ef9442b1339a6) --- updated-dependencies: - dependency-name: github/ospo-reusable-workflows dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: github/contributors dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: github/codeql-action dependency-version: 3.29.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: super-linter/super-linter dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-labeler.yml | 2 +- .github/workflows/contributors_report.yaml | 2 +- .github/workflows/pr-title.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- .github/workflows/super-linter.yaml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 051eff1..0fc577f 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -11,7 +11,7 @@ jobs: permissions: contents: read pull-requests: write - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: config-name: release-drafter.yml secrets: diff --git a/.github/workflows/contributors_report.yaml b/.github/workflows/contributors_report.yaml index 3f9a1b0..14e63b8 100644 --- a/.github/workflows/contributors_report.yaml +++ b/.github/workflows/contributors_report.yaml @@ -30,7 +30,7 @@ jobs: echo "END_DATE=$end_date" >> "$GITHUB_ENV" - name: Run contributor action - uses: github/contributors@69e531b620b7e5b0fad2e9823681607b54db447a + uses: github/contributors@ae62be2e3b1a3b2847955ec659d9bb6f88ffe628 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} START_DATE: ${{ env.START_DATE }} diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 77afc54..66d1da6 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -12,6 +12,6 @@ jobs: contents: read pull-requests: read statuses: write - uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 secrets: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e913f0d..4ac1376 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: permissions: contents: write pull-requests: read - uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: publish: true release-config-name: release-drafter.yml @@ -25,7 +25,7 @@ jobs: packages: write id-token: write attestations: write - uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: image-name: ${{ github.repository }} full-tag: ${{ needs.release.outputs.full-tag }} @@ -40,7 +40,7 @@ jobs: permissions: contents: read discussions: write - uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: full-tag: ${{ needs.release.outputs.full-tag }} body: ${{ needs.release.outputs.body }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 35a7324..0b53cd4 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -42,6 +42,6 @@ jobs: path: results.sarif retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5 + uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5 with: sarif_file: results.sarif diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 83e28ac..e4d3553 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -26,7 +26,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt -r requirements-test.txt - name: Lint Code Base - uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6 + uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6 env: DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 487070b563c7dc0d754ac6adbcc883c955152195 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:03:12 -0500 Subject: [PATCH 2/9] fix: linting - ensure credentials are not persisted past checkout of code - add zizmor.yml file to allow pull_request_target in actions for auto-labeler to work on fork pull requests - add HEALTHCHECK and non-root user to Dockerfile Signed-off-by: jmeridth --- .github/workflows/copilot-setup-steps.yml | 2 ++ .github/workflows/docker-ci.yml | 2 ++ .github/workflows/python-ci.yml | 2 ++ .github/workflows/super-linter.yaml | 1 + .github/zizmor.yml | 3 +++ Dockerfile | 9 +++++++++ 6 files changed, 19 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index cddb8d9..dcdb4ad 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5.6.0 diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index ec1a05c..87d88a2 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -15,5 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Build the Docker image run: docker build . --file Dockerfile --platform linux/amd64 diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 9878b08..9a6d0f2 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -21,6 +21,8 @@ jobs: python-version: [3.11, 3.12] steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5.6.0 with: diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index e4d3553..dd6aaf0 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -21,6 +21,7 @@ jobs: uses: actions/checkout@v5.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..93342af --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests + disable: true diff --git a/Dockerfile b/Dockerfile index 280cc9a..19f9f2d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,15 @@ RUN python3 -m pip install --no-cache-dir -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ && rm -rf /var/lib/apt/lists/* + && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \ + && chown -R appuser:appuser /action/workspace + +# Run the action as a non-root user +USER appuser + +# Add a simple healthcheck to satisfy container scanners +HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ + CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/contributors.py') else 1)" CMD ["/action/workspace/contributors.py"] ENTRYPOINT ["python3", "-u"] From 8e27c34231f92571b11afe04cbe2784010af815b Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:06:26 -0500 Subject: [PATCH 3/9] fix: missing slash at end of Dockerfile run command Signed-off-by: jmeridth --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 19f9f2d..5f0c4bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,7 @@ COPY requirements.txt *.py /action/workspace/ RUN python3 -m pip install --no-cache-dir -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \ && chown -R appuser:appuser /action/workspace From bf20a3dad3a334083d03679e5f3c6a49da758828 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:32:01 -0500 Subject: [PATCH 4/9] fix: create the group Signed-off-by: jmeridth --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 5f0c4bd..2d3a9ae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ RUN python3 -m pip install --no-cache-dir -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ && rm -rf /var/lib/apt/lists/* \ + && addgroup --system appuser \ && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \ && chown -R appuser:appuser /action/workspace From 5a3b40e1de47737a26020d7bd648af8a70acb39a Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:36:19 -0500 Subject: [PATCH 5/9] fix: move zizmor config so super-linter can use it Signed-off-by: jmeridth --- .github/{ => linters}/zizmor.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => linters}/zizmor.yml (100%) diff --git a/.github/zizmor.yml b/.github/linters/zizmor.yml similarity index 100% rename from .github/zizmor.yml rename to .github/linters/zizmor.yml From 6d055c48c6938c4174ebc2bc00fc03033896c362 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:47:36 -0500 Subject: [PATCH 6/9] fix: zizmor config super linter is still using 1.12.1 so have to use that config for ignore/disable disable is available in v1.13.0 Signed-off-by: jmeridth --- .github/{linters => }/zizmor.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename .github/{linters => }/zizmor.yml (55%) diff --git a/.github/linters/zizmor.yml b/.github/zizmor.yml similarity index 55% rename from .github/linters/zizmor.yml rename to .github/zizmor.yml index 93342af..9745a0a 100644 --- a/.github/linters/zizmor.yml +++ b/.github/zizmor.yml @@ -1,3 +1,6 @@ rules: dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests - disable: true + ignore: + - auto-labeler.yml + - pr-title.yml + - release.yml From d2af4b6a636bd5441317db5dc094a44bac505655 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 11:59:37 -0500 Subject: [PATCH 7/9] fix: zizmor.yml is not the default filename for super-linter yaml extension needed Signed-off-by: jmeridth --- .github/{zizmor.yml => zizmor.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{zizmor.yml => zizmor.yaml} (100%) diff --git a/.github/zizmor.yml b/.github/zizmor.yaml similarity index 100% rename from .github/zizmor.yml rename to .github/zizmor.yaml From 78d25ffcb8c32b514f9d182c885a3252c8377649 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 12:04:59 -0500 Subject: [PATCH 8/9] fix: move zizmor.yaml back into linters folder, default place super-linter checks Signed-off-by: jmeridth --- .github/{ => linters}/zizmor.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => linters}/zizmor.yaml (100%) diff --git a/.github/zizmor.yaml b/.github/linters/zizmor.yaml similarity index 100% rename from .github/zizmor.yaml rename to .github/linters/zizmor.yaml From 013b188cd3c79ddcaa9b14d09a919023a43ae2d1 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 12:15:30 -0500 Subject: [PATCH 9/9] fix: add trivy config file to ignore mypy_cache Signed-off-by: jmeridth --- .github/linters/trivy.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .github/linters/trivy.yaml diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml new file mode 100644 index 0000000..d543fa9 --- /dev/null +++ b/.github/linters/trivy.yaml @@ -0,0 +1,3 @@ +scan: + skip-dirs: + - .mypy_cache