harden uv resolution, add audit + Pyrefly in CI/pre-commit#3257
harden uv resolution, add audit + Pyrefly in CI/pre-commit#3257raushanprabhakar1 wants to merge 1 commit into
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3257 +/- ##
============================================
+ Coverage 73.82% 73.83% +0.01%
Complexity 943 943
============================================
Files 1190 1193 +3
Lines 107833 108933 +1100
Branches 84851 85967 +1116
============================================
+ Hits 79606 80433 +827
- Misses 25473 25740 +267
- Partials 2754 2760 +6
🚀 New features to boost your workflow:
|
|
please fix PR title /author |
There was a problem hiding this comment.
this pr markets supply-chain hardening but ships three defects that all point the same way - the protections are holed or unenforced, while the unrequested dependency addition is fully wired in:
urllib3 = falsepunches a hole in the cooldown for a top-tier supply-chain target, with zero justification (pyproject.toml).uv audit- the check #3246 actually asked for - is added as a pre-commit hook only, and iggy ci does not run pre-commit, so it never gates prs.- pyrefly (not requested in #3246) is wired into the ci lint task; the audit is not.
remove the urllib3 exemption, move uv audit into _common.yml if it's meant to gate prs, and verify the pyrefly 1.0.0 wheel hashes in uv.lock against pypi.
lastly, fix the PR title
/author
|
|
||
| [tool.uv] | ||
| exclude-newer = "7 days" | ||
| exclude-newer-package = { urllib3 = false, pyrefly = false } |
There was a problem hiding this comment.
exclude-newer-package = { urllib3 = false, pyrefly = false } opts these two packages out of the 7-day cooldown. pyrefly has a reason - 1.0.0 was uploaded 2026-05-12, two days before this pr, so the cooldown would block the version being added. urllib3 has none - it isn't otherwise touched by this pr, and it's one of the highest-value supply-chain targets in the python ecosystem. exempting it from the freshness window, in a pr whose stated purpose is supply-chain hardening, defeats the protection for exactly the package an attacker would most want to push a fresh malicious release of. drop the urllib3 entry. same exemption is mirrored in foreign/python/uv.lock under [options.exclude-newer-package].
| files: ^(foreign|bdd|examples)/python/(pyproject\.toml|uv\.lock)$ | ||
| pass_filenames: false | ||
|
|
||
| - id: uv-audit |
There was a problem hiding this comment.
uv-audit is added as a pre-commit hook only. iggy ci does not run pre-commit - .github/workflows/_common.yml mirrors every gating hook as an explicit job. without a matching job in _common.yml, uv audit never runs on prs. it only fires on a contributor machine that has pre-commit installed and touches a matching pyproject.toml/uv.lock. that's the opposite of the threat model in #3246 - a malicious or careless dependency bump arriving in a pr stays unguarded. if the audit is meant to gate prs, add it as a job in _common.yml.
| echo "mypy version: $(uv run mypy --version)" | ||
| echo "Running pyrefly on SDK..." | ||
| uv run pyrefly check |
There was a problem hiding this comment.
pyrefly gets wired into ci here, but uv audit - the actual ask in #3246 - gets no ci entry anywhere. so the unrequested scope-creep check is enforced on prs while the security check it was paired with is not. either both belong in ci, or split this pr: the cooldown is what the issue asked for, pyrefly + audit tooling is separate scope and separate review.
|
/author |
github-actions
Bot
added
the
S-waiting-on-author
2 participants
Which issue does this PR close?
Closes #3246
Rationale
Supply-chain incidents increasingly rely on very new PyPI uploads. Adding uv’s
exclude-newercooldown limits how fresh a release can be when resolving dependencies. We also runuv auditlocally via pre-commit and add Pyrefly 1.x for type checking alongside mypy, with CI and hooks aligned.What changed?
Dependency resolution for
foreign/pythonnow applies a 7-dayexclude-newer