DEBUG: limit workflow #2390

sfc-gh-pczajka · 2025-07-04T13:24:04Z

DO NOT MERGE, this is a workflow debug branch

.github/workflows/build_test.yml

src/snowflake/connector/aio/auth/_auth.py

+            {
+                k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
+                for (k, v) in body["data"].items()
+            },


To fix the problem, we should ensure that sensitive fields such as "PASSCODE", "password", and any other known sensitive keys are always masked in logs, regardless of their presence in any whitelist. This can be achieved by defining a set of sensitive keys and updating the dictionary comprehension in the logger statement to mask these keys. The fix should be applied in the authenticate method of the Auth class, specifically at the logging statement on lines 147–153. No changes to existing functionality are required, only the logging output is made safer. We will define a set of sensitive keys within the method (or at the top of the file if appropriate) and update the logging statement accordingly.

test/integ/aio/test_connection_async.py

+                    c[0][1].startswith(
+                        "https://test-account.snowflakecomputing.com:443"
+                    )


To fix the issue, we should replace the startswith check with a more robust method that parses the URL and validates its components. Specifically, we can use Python's urllib.parse module to extract the hostname and scheme from the URL and ensure they match the expected values. This approach eliminates the risk of substring matching errors and ensures that the URL is validated correctly.

The changes will involve:

Importing the urlparse function from urllib.parse.

Replacing the startswith check with a parsed URL validation that ensures the scheme is https, the hostname matches the expected value, and the port is correct.

.github/workflows/build_test.yml

+    name: Test asyncio ${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
+    needs: build
    runs-on: ${{ matrix.os.image_name }}
    strategy:
      fail-fast: false
      matrix:
        os:
         - image_name: ubuntu-latest
-           download_name: linux
-        python-version: [3.8]
-        cloud-provider: [aws]
+           download_name: manylinux_x86_64
+         - image_name: macos-latest
+           download_name: macosx_x86_64
+         - image_name: windows-latest
+           download_name: win_amd64
+        python-version: ["3.10", "3.11", "3.12"]
+        cloud-provider: [aws, azure, gcp]
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}
      - name: Display Python version
        run: python -c "import sys; print(sys.version)"
      - name: Setup parameters file
        shell: bash
        env:
          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
        run: |
          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
          .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Download wheel(s)
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ matrix.os.download_name }}_py${{ matrix.python-version }}
+          path: dist
+      - name: Show wheels downloaded
+        run: ls -lh dist
+        shell: bash
      - name: Upgrade setuptools, pip and wheel
        run: python -m pip install -U setuptools pip wheel
      - name: Install tox
        run: python -m pip install tox>=4
      - name: Run tests
-        run: python -m tox run -e olddriver
+        run: python -m tox run -e aio
        env:
          PYTHON_VERSION: ${{ matrix.python-version }}
          cloud_provider: ${{ matrix.cloud-provider }}
          PYTEST_ADDOPTS: --color=yes --tb=short
+          TOX_PARALLEL_NO_SPINNER: 1
        shell: bash
+      - name: Combine coverages
+        run: python -m tox run -e coverage --skip-missing-interpreters false
+        shell: bash
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage_aio_${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
+          path: |
+            .tox/.coverage
+            .tox/coverage.xml

-  test-noarrowextension:
-    name: No Arrow Extension Test ${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
-    needs: lint
+  test-unsupporeted-aio:


To fix the problem, you should add an explicit permissions block to the workflow file .github/workflows/build_test.yml. The best way to do this is to add the block at the top level of the workflow, so it applies to all jobs unless overridden. Since the jobs only need to read repository contents (for checkout and artifact download), the minimal required permission is contents: read. This change should be made immediately after the name: and before the on: block (i.e., after line 1 and before line 3). No additional imports or definitions are needed.

.github/workflows/build_test.yml

+  #   name: Combine coverage
+  #   needs: [lint, test, test-fips, test-lambda, test-aio]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - uses: actions/download-artifact@v4
+  #       with:
+  #         path: artifacts
+  #     - name: Set up Python
+  #       uses: actions/setup-python@v4
+  #       with:
+  #         python-version: '3.9'
+  #     - name: Display Python version
+  #       run: python -c "import sys; print(sys.version)"
+  #     - name: Upgrade setuptools and pip
+  #       run: python -m pip install -U setuptools pip wheel
+  #     - name: Install tox
+  #       run: python -m pip install tox>=4
+  #     - name: Collect all coverages to one dir
+  #       run: |
+  #         python -c '
+  #         from pathlib import Path
+  #         import shutil

-  combine-coverage:
-    if: ${{ success() || failure() }}
-    name: Combine coverage
-    needs: [lint, test, test-fips, test-lambda]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.8'
-      - name: Display Python version
-        run: python -c "import sys; print(sys.version)"
-      - name: Upgrade setuptools and pip
-        run: python -m pip install -U setuptools pip wheel
-      - name: Install tox
-        run: python -m pip install tox>=4
-      - name: Collect all coverages to one dir
-        run: |
-          python -c '
-          from pathlib import Path
-          import shutil
-
-          src_dir = Path("artifacts")
-          dst_dir = Path(".") / ".tox"
-          dst_dir.mkdir()
-          for src_file in src_dir.glob("*/.coverage"):
-              dst_file = dst_dir / ".coverage.{}".format(src_file.parent.name[9:])
-              print("{} copy to {}".format(src_file, dst_file))
-              shutil.copy(str(src_file), str(dst_file))'
-      - name: Combine coverages
-        run: python -m tox run -e coverage
-      - name: Publish html coverage
-        uses: actions/upload-artifact@v4
-        with:
-          include-hidden-files: true
-          name: overall_cov_html
-          path: .tox/htmlcov
-      - name: Publish xml coverage
-        uses: actions/upload-artifact@v4
-        with:
-          include-hidden-files: true
-          name: overall_cov_xml
-          path: .tox/coverage.xml
-      - uses: codecov/codecov-action@v4
-        with:
-          files: .tox/coverage.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
+  #         src_dir = Path("artifacts")
+  #         dst_dir = Path(".") / ".tox"
+  #         dst_dir.mkdir()
+  #         for src_file in src_dir.glob("*/.coverage"):
+  #             dst_file = dst_dir / ".coverage.{}".format(src_file.parent.name[9:])
+  #             print("{} copy to {}".format(src_file, dst_file))
+  #             shutil.copy(str(src_file), str(dst_file))'
+  #     - name: Combine coverages
+  #       run: python -m tox run -e coverage
+  #     - name: Publish html coverage
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         include-hidden-files: true
+  #         name: overall_cov_html
+  #         path: .tox/htmlcov
+  #     - name: Publish xml coverage
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         include-hidden-files: true
+  #         name: overall_cov_xml
+  #         path: .tox/coverage.xml
+  #     - uses: codecov/codecov-action@v4
+  #       with:
+  #         files: .tox/coverage.xml
+  #         token: ${{ secrets.CODECOV_TOKEN }}


To fix the problem, we should add a permissions block to the workflow or to each job that does not already have one. The minimal starting point is contents: read, which allows the workflow to read repository contents but not write to them. This should be added at the root level of the workflow (top-level, just after the name and before on), so it applies to all jobs unless overridden. No additional imports or definitions are needed; this is a YAML configuration change.

…2432)

sfc-gh-pczajka added the DO NOT MERGE label Jul 4, 2025

sfc-gh-pczajka force-pushed the pczajka-debug branch 3 times, most recently from 355bc1c to 5ec89c3 Compare July 4, 2025 14:27

sfc-gh-pczajka force-pushed the cherrypicks-to-aio-connector-part1 branch from 5531b8e to 5168b00 Compare July 4, 2025 14:45

sfc-gh-pczajka force-pushed the pczajka-debug branch 2 times, most recently from 042c5ab to b2f1bb9 Compare July 7, 2025 14:26

sfc-gh-pczajka force-pushed the cherrypicks-to-aio-connector-part1 branch from 5168b00 to 9a188b1 Compare July 7, 2025 14:28

sfc-gh-pczajka force-pushed the pczajka-debug branch from b2f1bb9 to d5ee2e4 Compare July 7, 2025 15:30

sfc-gh-pczajka force-pushed the cherrypicks-to-aio-connector-part1 branch 2 times, most recently from c37c333 to f0d9e29 Compare July 7, 2025 15:54

sfc-gh-pczajka force-pushed the pczajka-debug branch 2 times, most recently from 098c4d2 to b2719d0 Compare July 8, 2025 10:23

sfc-gh-pczajka marked this pull request as draft July 8, 2025 10:23

sfc-gh-pczajka force-pushed the cherrypicks-to-aio-connector-part1 branch from f0d9e29 to 449d668 Compare July 9, 2025 14:39

sfc-gh-pczajka force-pushed the pczajka-debug branch from b2719d0 to dcfda65 Compare July 10, 2025 10:33

Base automatically changed from cherrypicks-to-aio-connector-part1 to dev/aio-connector July 14, 2025 12:26

sfc-gh-pczajka force-pushed the pczajka-debug branch 4 times, most recently from d56b698 to b919832 Compare July 21, 2025 12:57

sfc-gh-pczajka changed the base branch from dev/aio-connector to main July 21, 2025 12:58

github-advanced-security bot found potential problems Jul 21, 2025

View reviewed changes

.github/workflows/build_test.yml Fixed Show fixed Hide fixed

sfc-gh-pczajka force-pushed the pczajka-debug branch from 2b513fa to edd918d Compare July 29, 2025 09:17

github-advanced-security bot found potential problems Jul 29, 2025

View reviewed changes

sfc-gh-pczajka force-pushed the pczajka-debug branch from edd918d to fd32ae8 Compare August 6, 2025 11:17

github-advanced-security bot found potential problems Aug 6, 2025

View reviewed changes

sfc-gh-pczajka changed the base branch from main to cherrypicks-to-aio-connector-part5 August 6, 2025 11:23

sfc-gh-pczajka changed the base branch from cherrypicks-to-aio-connector-part5 to dev/aio-connector August 6, 2025 11:24

sfc-gh-pczajka force-pushed the pczajka-debug branch from c9f892b to 5f87ff8 Compare August 6, 2025 14:18

sfc-gh-pcyrek added 2 commits August 13, 2025 13:16

SNOW-2021009: test optimisation (#2388)

e209415

SNOW-2226057: GH Actions moved to key-pair, old driver bump to 3.1.0 (#…

407d131

…2432)

sfc-gh-pczajka force-pushed the pczajka-debug branch from 0678964 to 49d5a0a Compare August 13, 2025 12:03

sfc-gh-pczajka added 3 commits August 13, 2025 14:03

adjust async workflow

f316c82

adjust async conftest.py

b32e8b3

paralelize async tests

7c05cce

sfc-gh-pczajka force-pushed the pczajka-debug branch from 49d5a0a to b7a65a2 Compare August 13, 2025 12:40

adjust async tests

d1024c1

sfc-gh-pczajka force-pushed the pczajka-debug branch from b7a65a2 to c77cd31 Compare August 13, 2025 13:31

sfc-gh-pczajka added 5 commits August 13, 2025 16:42

fix async connection tests

05dedc8

fix adding tests from future

0d9ec29

Fix async tests

6215cb3

skip failing test

63be9f0

resolve worker conflicts

85afb18

sfc-gh-pczajka force-pushed the pczajka-debug branch from 4964b53 to df50e8d Compare August 14, 2025 09:52

sfc-gh-pczajka added 2 commits August 14, 2025 13:56

Split async tests in tox.ini; fix async ocsp tests

72cc2a7

Apply changes from #2388 to async tests

b811eeb

sfc-gh-pczajka force-pushed the pczajka-debug branch from df50e8d to 3da273a Compare August 14, 2025 12:12

sfc-gh-pczajka added 4 commits August 14, 2025 14:40

try fixing coverage check

e673724

DEBUG: limit workflow

a8b4c7c

DEBUG: more debug in tests

0b660a9

DEBUG trigger build

3d7d6b6

sfc-gh-pczajka force-pushed the pczajka-debug branch from 3da273a to 3d7d6b6 Compare August 14, 2025 12:40

sfc-gh-pczajka added 7 commits August 14, 2025 15:01

try fix

bfad18b

DEBUG reduce tests

9d7e118

fix spelling

302ad47

revert tox.ini

919cb2c

fix?

8916d6f

DEBUG: delete more tests

9b5d070

DEBUG: delete more tests

9af48ed

@@ -146,2 +146,4 @@
+                    # Always mask sensitive fields in logs, regardless of whitelist
+                    SENSITIVE_KEYS = {"PASSCODE", "password", "pwd", "secret", "token"}
                     logger.debug(
@@ -149,3 +151,3 @@
                         {
-                            k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
+                            k: "******" if k.upper() in SENSITIVE_KEYS else (v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******")
                             for (k, v) in body["data"].items()

@@ -840,5 +840,8 @@
                         )  # Skip tear down, there's only a mocked rest api
+                        from urllib.parse import urlparse
                         assert any(
                             [
-                                c[0][1].startswith("https://test-host:443")
+                                urlparse(c[0][1]).scheme == "https"
+                                and urlparse(c[0][1]).hostname == "test-host"
+                                and urlparse(c[0][1]).port == 443
                                 for c in mocked_fetch.call_args_list
@@ -864,7 +867,8 @@
                         )  # Skip tear down, there's only a mocked rest api
+                        from urllib.parse import urlparse
                         assert any(
                             [
-                                c[0][1].startswith(
-                                    "https://test-account.snowflakecomputing.com:443"
-                                )
+                                urlparse(c[0][1]).scheme == "https"
+                                and urlparse(c[0][1]).hostname == "test-account.snowflakecomputing.com"
+                                and urlparse(c[0][1]).port == 443
                                 for c in mocked_fetch.call_args_list

@@ -1,2 +1,4 @@
             name: Build and Test
+            permissions:
+              contents: read

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

DEBUG: limit workflow #2390

DEBUG: limit workflow #2390

Uh oh!

sfc-gh-pczajka commented Jul 4, 2025

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

DEBUG: limit workflow #2390

Are you sure you want to change the base?

DEBUG: limit workflow #2390

Uh oh!

Conversation

sfc-gh-pczajka commented Jul 4, 2025

Uh oh!

Uh oh!

Check failure

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!