From 3f80d96ea83b6328ccafa5960807d66b9b58b4fc Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Sat, 3 Apr 2021 17:34:19 -0400
Subject: [PATCH 1/4] Use secrets.GITHUB_TOKEN for coveralls in GHA workflow

coveralls-python has better integration with running in GitHub Actions now, so
we can use the automatically generated GITHUB_TOKEN secret instead of manually
setting a COVERALLS_REPO_TOKEN secret for each repository.
---
 .github/workflows/build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0134014..02ea543 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -75,7 +75,8 @@ jobs:
       - name: Upload coverage report
         run: coveralls
         env:
-          COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+          COVERALLS_SERVICE_NAME: github
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: success()
   build:
     runs-on: ubuntu-latest

From 30a1c14cebf6cb74b2270e8bf9aa4ec829c99645 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Sat, 3 Apr 2021 17:38:42 -0400
Subject: [PATCH 2/4] Update coveralls GHA configuration for parallelization

We already ran our tests in parallel for each major version of Python a project
supports. This change should better differentiate each test job run in the
reports submitted.
---
 .github/workflows/build.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 02ea543..695e8cc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -75,9 +75,39 @@ jobs:
       - name: Upload coverage report
         run: coveralls
         env:
+          COVERALLS_FLAG_NAME: "py${{ matrix.python-version }}"
+          COVERALLS_PARALLEL: true
           COVERALLS_SERVICE_NAME: github
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: success()
+  coveralls-finish:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v2
+      - id: setup-python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+      - uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
+            py${{ steps.setup-python.outputs.python-version }}-"
+        with:
+          path: ${{ env.PIP_CACHE_DIR }}
+          key: "${{ env.BASE_CACHE_KEY }}\
+            ${{ hashFiles('**/requirements-test.txt') }}-\
+            ${{ hashFiles('**/requirements.txt') }}"
+          restore-keys: |
+            ${{ env.BASE_CACHE_KEY }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade --requirement requirements-test.txt
+      - name: Finished coveralls reports
+        run: coveralls --finish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build:
     runs-on: ubuntu-latest
     needs: [lint, test]

From 5656676bca1f0b68709c9631023f0298a7f7f79c Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Wed, 7 Apr 2021 16:53:27 -0400
Subject: [PATCH 3/4] Skip CodeQL workflow for Dependabot branches on push
 events

This should resolve the following error:

Error: Workflows triggered by Dependabot on the "push" event run with read-only
access. Uploading Code Scanning results requires write access. To use Code
Scanning with Dependabot, please ensure you are using the "pull_request" event
for this workflow and avoid triggering on the "push" event for Dependabot
branches. See
https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push
for more information on how to configure these events.
---
 .github/workflows/codeql-analysis.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d599e48..b880c44 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,8 +8,9 @@ name: "CodeQL"
 
 on:
   push:
-  # Push on all branches
-  # branches: [develop]
+    # Dependabot triggered push events have read-only access, but uploading code
+    # scanning requires write access.
+    branches-ignore: [dependabot/**]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [develop]

From 395279961abae31c75849146d67c785849d8de94 Mon Sep 17 00:00:00 2001
From: Hillary Jeffrey <hillary.jeffrey@cisa.dhs.gov>
Date: Thu, 15 Apr 2021 10:50:55 -0400
Subject: [PATCH 4/4] Adds a comment to direct additional requirements into
 setup.py

---
 requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/requirements.txt b/requirements.txt
index 4ed536d..8b75fe9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
+# Note: Add any additional requirements to setup.py's install_requires field
 --editable .
 wheel