Back-porting new features and dependency automation to shundor/python-bandit-scan
#6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also bind it to concrete v4 release
Development branch.
Added Updates and Automation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
…s/main/github/codeql-action-3
Back port to development
Update README.md with config for fixed version
Updated README.md
Release v2.1
Reduce threshold to low in example to improve default.
# Pull useful improvements from community ## Pull new configuration input feature from related work in community * Incorporate the feature to optionally include a `config_path` input to allow further configuration of `bandit` ## Partial version bumps for action dependancies * Updating to `github/code-action/upload-sarif@v3` presents no significant changes since `v2` besides the underlying node version. Details in [relevant project README](https://github.com/github/codeql-action?tab=readme-ov-file#supported-versions-of-the-codeql-action) * Updating to `actions/upload-artifact@v4` brings significant changes we should be aware of. The maintainers have noted that version 4 introduces breaking changes: * **GitHub Enterprise Server (GHES) Compatibility**: Support for GHES versions prior to 3.5 has been discontinued. If you're using an older GHES version, this update might not be compatible. * **Default Behavior Adjustments**: There may be changes to default configurations, such as the default value for retention-days. Deprecated inputs or features might have been removed as well. For a comprehensive understanding of these impacts and to ensure seamless integration, please review the maintainers' notes in the [upload-artifact project README](https://github.com/actions/upload-artifact#actionsupload-artifact) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Introduced an optional `config_path` parameter for the Bandit Scan action, allowing users to specify a configuration file for command line arguments. - **Improvements** - Updated artifact upload steps to use the latest versions of the actions, enhancing reliability and functionality. - Added an option to overwrite existing artifacts during upload. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…ity features > [!NOTE] > > Due to the backup, upstream with [actions/starter-workflows#2497](actions/starter-workflows#2497) not yet resolved, this PR will include at-least two minor version bumps: > > * [v2.2](637c5c4) @ [637c5c4](637c5c4) > * [v2.3](f8cf05e) @ [f8cf05e](f8cf05e) ---
* main: re:re:re updated the usage example in the README.md Update README.md Update README.md Update name in action.yml [UPDATE] (deps): Bump github/codeql-action from 2 to 3 Update README.md Allow config file specification Upgrade upload-serif action to v3 Fix breaking changes in upload-artifact action use
…t-scan for use by shundor/python-bandit-scan
* Oops! :hear_not_evil: The labels must already be present in the github project settings. (FIXED) * I also don't have write-access so I removed myself from the default assignee; this simplifies the configuration. These are not user-facing changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Patch Notes
Back-port of new features
config_pathparameter for the Bandit Scan action, allowing users to specify a configuration file for command line arguments. Credit: @MrFiredFixes and Corrections
results.sarifartifact. Namely, added an option to overwrite existing artifacts during upload when needed. This overwrite behavior only impacts duplicates that would otherwise fail instead.README.mdto use the correct name for theshundor/python-bandit-scanGitHub Action (Hopefully this helps resolve issues like unable to find versionv1#1)Possibly Impacted GHI
v1#1 (by updating directions)Conclusion and Request for Comments
Thank you for reviewing this pull request! Your feedback is invaluable in ensuring that these changes align with the project's goals and maintain high quality.
I would especially appreciate comments from the following community members:
config_pathfeature would be greatly appreciated. 🙊Please feel free to share any additional thoughts or concerns you may have. Looking forward to your feedback!