From c97cf35018e7e7cc598ed6271b91f1f48ad2edbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 15:30:14 +0000 Subject: [PATCH 1/4] chore(deps): bump the dependencies group with 4 updates Bumps the dependencies group with 4 updates: [github/ospo-reusable-workflows](https://github.com/github/ospo-reusable-workflows), [github/contributors](https://github.com/github/contributors), [github/codeql-action](https://github.com/github/codeql-action) and [super-linter/super-linter](https://github.com/super-linter/super-linter). Updates `github/ospo-reusable-workflows` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/github/ospo-reusable-workflows/releases) - [Changelog](https://github.com/github/ospo-reusable-workflows/blob/main/docs/release-image.md) - [Commits](https://github.com/github/ospo-reusable-workflows/compare/ebb4e218b75c6043139fd69a4c9bb5a465fb696b...c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0) Updates `github/contributors` from 1.5.11 to 1.7.0 - [Release notes](https://github.com/github/contributors/releases) - [Commits](https://github.com/github/contributors/compare/69e531b620b7e5b0fad2e9823681607b54db447a...ae62be2e3b1a3b2847955ec659d9bb6f88ffe628) Updates `github/codeql-action` from 3.29.10 to 3.29.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/96f518a34f7a870018057716cc4d7a5c014bd61c...3c3833e0f8c1c83d449a7478aa59c036a9165498) Updates `super-linter/super-linter` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/5119dcd8011e92182ce8219d9e9efc82f16fddb6...ffde3b2b33b745cb612d787f669ef9442b1339a6) --- updated-dependencies: - dependency-name: github/ospo-reusable-workflows dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: github/contributors dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: github/codeql-action dependency-version: 3.29.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: super-linter/super-linter dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-labeler.yml | 2 +- .github/workflows/contributors_report.yaml | 2 +- .github/workflows/pr-title.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- .github/workflows/super-linter.yaml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 051eff1..0fc577f 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -11,7 +11,7 @@ jobs: permissions: contents: read pull-requests: write - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: config-name: release-drafter.yml secrets: diff --git a/.github/workflows/contributors_report.yaml b/.github/workflows/contributors_report.yaml index 9dae79c..9bfdcf7 100644 --- a/.github/workflows/contributors_report.yaml +++ b/.github/workflows/contributors_report.yaml @@ -29,7 +29,7 @@ jobs: echo "END_DATE=$end_date" >> "$GITHUB_ENV" - name: Run contributor action - uses: github/contributors@69e531b620b7e5b0fad2e9823681607b54db447a + uses: github/contributors@ae62be2e3b1a3b2847955ec659d9bb6f88ffe628 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} START_DATE: ${{ env.START_DATE }} diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 77afc54..66d1da6 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -12,6 +12,6 @@ jobs: contents: read pull-requests: read statuses: write - uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 secrets: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e913f0d..4ac1376 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: permissions: contents: write pull-requests: read - uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: publish: true release-config-name: release-drafter.yml @@ -25,7 +25,7 @@ jobs: packages: write id-token: write attestations: write - uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: image-name: ${{ github.repository }} full-tag: ${{ needs.release.outputs.full-tag }} @@ -40,7 +40,7 @@ jobs: permissions: contents: read discussions: write - uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: full-tag: ${{ needs.release.outputs.full-tag }} body: ${{ needs.release.outputs.body }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index af9551c..c77b34f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -42,6 +42,6 @@ jobs: path: results.sarif retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5 + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5 with: sarif_file: results.sarif diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index f3937ea..4b05fd7 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -30,7 +30,7 @@ jobs: run: | pip install -r requirements.txt -r requirements-test.txt - name: Lint Code Base - uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0 + uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0 env: DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7d4bff8aa6a8add6b8c040706bee065def5a57da Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 13:54:28 -0500 Subject: [PATCH 2/4] fix: linting - ensure credentials are not persisted past checkout of code - add zizmor.yml file to linters to allow pull_request_target in actions for auto-labeler to work on fork pull requests - add trivy.yml file to linters to ignore mypy_cache directory - add HEALTHCHECK and non-root user to Dockerfile Signed-off-by: jmeridth --- .github/linters/trivy.yaml | 3 +++ .github/linters/zizmor.yaml | 6 ++++++ .github/workflows/copilot-setup-steps.yml | 4 +++- .github/workflows/docker-ci.yml | 2 ++ .github/workflows/python-ci.yml | 2 +- .github/workflows/super-linter.yaml | 3 ++- Dockerfile | 13 ++++++++++++- 7 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 .github/linters/trivy.yaml create mode 100644 .github/linters/zizmor.yaml diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml new file mode 100644 index 0000000..d543fa9 --- /dev/null +++ b/.github/linters/trivy.yaml @@ -0,0 +1,3 @@ +scan: + skip-dirs: + - .mypy_cache diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml new file mode 100644 index 0000000..9745a0a --- /dev/null +++ b/.github/linters/zizmor.yaml @@ -0,0 +1,6 @@ +rules: + dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests + ignore: + - auto-labeler.yml + - pr-title.yml + - release.yml diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index cddb8d9..d33b8b6 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -27,9 +27,11 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5.6.0 + uses: actions/setup-python@v6.0.0 with: python-version: 3.12 diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index ec1a05c..87d88a2 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -15,5 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Build the Docker image run: docker build . --file Dockerfile --platform linux/amd64 diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 95c0892..a3c684e 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5.6.0 + uses: actions/setup-python@v6.0.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 4b05fd7..0596ebb 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -22,8 +22,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v5.6.0 + uses: actions/setup-python@v6.0.0 with: python-version: "3.12" - name: Install dependencies diff --git a/Dockerfile b/Dockerfile index a5bdbaf..d1b3c29 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,18 @@ COPY requirements.txt *.py /action/workspace/ RUN python3 -m pip install --no-cache-dir -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ + && addgroup --system appuser \ + && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \ + && chown -R appuser:appuser /action/workspace + +# Run the action as a non-root user +USER appuser + +# Add a simple healthcheck to satisfy container scanners +HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ + CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/evergreen.py') else 1)" +>>>>>>> 378e6a0 (fix: linting) CMD ["/action/workspace/evergreen.py"] ENTRYPOINT ["python3", "-u"] From 7f0df4e6bdd54fdb2fe019b0c51a95dcba1f269c Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 14:14:04 -0500 Subject: [PATCH 3/4] fix: bad conflict line still present Signed-off-by: jmeridth --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d1b3c29..d0e98ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,6 @@ USER appuser # Add a simple healthcheck to satisfy container scanners HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/evergreen.py') else 1)" ->>>>>>> 378e6a0 (fix: linting) CMD ["/action/workspace/evergreen.py"] ENTRYPOINT ["python3", "-u"] From 7e40287b09821891bb5a5429c3d8765bc95b61f2 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 14:26:49 -0500 Subject: [PATCH 4/4] fix: linting Signed-off-by: jmeridth --- .github/workflows/python-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index a3c684e..0eca3d6 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -21,6 +21,8 @@ jobs: python-version: [3.11, 3.12] steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6.0.0 with: