diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..9d866e3928 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..26f2e0c7df --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. For example: + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: | +| < 1.0.0 | :x: | + +## Reporting a Vulnerability + +We take all security vulnerabilities seriously. To report a security vulnerability, please use the [private vulnerability reporting feature](https://github.com/google/adk-python/security/advisories/new) on GitHub. + +We will acknowledge your report within 48 hours and will aim to provide a more detailed response within 72 hours, indicating the next steps in handling your report. diff --git a/pyproject.toml b/pyproject.toml index 460644463a..c2a2c8855d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -25,6 +25,14 @@ classifiers = [ # List of https://pypi.org/classifiers/ ] dependencies = [ # go/keep-sorted start + "PyYAML>=6.0.2, <7.0.0", # For APIHubToolset. + "absolufy-imports>=0.3.1, <1.0.0", # For Agent Engine deployment. + "anyio>=4.9.0, <5.0.0;python_version>='3.10'", # For MCP Session Manager + "authlib>=1.5.1, <2.0.0", # For RestAPI Tool + "click>=8.1.8, <9.0.0", # For CLI tools + "google-api-python-client>=2.157.0, <3.0.0", # Google API client discovery + "google-cloud-bigtable>=2.32.0", # For Bigtable database + "opentelemetry-api>=1.31.0, <2.0.0", # OpenTelemetry "PyYAML>=6.0.2, <7.0.0", # For APIHubToolset. "aiosqlite>=0.21.0", # For SQLite database "anyio>=4.9.0, <5.0.0", # For MCP Session Manager diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py index a1be9a0273..2c9cac4abf 100644 --- a/src/google/adk/cli/cli_create.py +++ b/src/google/adk/cli/cli_create.py @@ -191,12 +191,17 @@ def _generate_files( lines.append("GOOGLE_GENAI_USE_VERTEXAI=0") elif google_cloud_project and google_cloud_region: lines.append("GOOGLE_GENAI_USE_VERTEXAI=1") - if google_api_key: - lines.append(f"GOOGLE_API_KEY={google_api_key}") - if google_cloud_project: - lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") - if google_cloud_region: - lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") + if google_api_key or google_cloud_project or google_cloud_region: + click.secho( + "NOTE: For security, the GOOGLE_API_KEY, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION were NOT written to `.env`.\n" + "Please set them as environment variables manually and do not check secrets or sensitive configuration into source control.", + fg="yellow", + ) + # Do not write project ID or location to .env; instruct user instead + # if google_cloud_project: + # lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") + # if google_cloud_region: + # lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") f.write("\n".join(lines)) if type == "config":