From 4ba7d84fe1cce48ac5521703f5156eaef65577d1 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:04:21 -0300 Subject: [PATCH 01/10] feat: rebased the main branch --- .github/workflows/build.yaml | 19 ++++++++++++-- .github/workflows/pr-comment-audit.yaml | 33 +++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/pr-comment-audit.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4599eee5..015439fd 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -43,7 +43,8 @@ jobs: matrix: # It is recommended to pin a Runner version specifically: # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners - os: [ubuntu-latest, macos-latest, windows-latest] + #os: [ubuntu-latest, macos-latest, windows-latest] + os: [ubuntu-latest] python: ['3.9', '3.10'] steps: @@ -74,13 +75,27 @@ jobs: # Audit all currently installed packages for security vulnerabilities. - name: Audit installed packages - run: make audit + id: audit-packages + continue-on-error: true + run: make --silent audit > vulnerabilities.txt + + # Upload the vulnerabilities file output. + - name: Upload Artifact + id: upload-audit-artifact + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb #v3.1.1 + with: + name: vulnerabilities.txt + path: . + if-no-files-found: error + retention-days: 1 + #if: steps.audit-packages.outputs.exit_code == 1 # Build the sdist and wheel distribution of the package and docs as a zip file. # We don't need to check and test the package separately because `make dist` runs # those targets first and only builds the package if they succeed. - name: Build the package run: make dist + continue-on-error: true # Generate the requirements.txt that contains the hash digests of the dependencies and # generate the SBOM using CyclonDX SBOM generator. diff --git a/.github/workflows/pr-comment-audit.yaml b/.github/workflows/pr-comment-audit.yaml new file mode 100644 index 00000000..1439f09d --- /dev/null +++ b/.github/workflows/pr-comment-audit.yaml @@ -0,0 +1,33 @@ +name: Comment vulnerabilities on Pull Requests +on: + pull_request: + branches: + - '*' + types: + - opened + - reopened + - edited + - synchronize +permissions: + contents: read + +jobs: + comment-audit: + runs-on: ubuntu-latest + permissions: + pull-requests: write + needs: build + steps: + + - name: Download artifact from Build + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 + #if: steps.audit-packages.outputs.exit_code == 1 + with: + name: vulnerabilities.txt + + - name: comment PR + id: comment-pr + run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt + #if: steps.audit-packages.outputs.exit_code == 1 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 90ecc00b3ddf1cfd3807bb4e0797c438823bd43f Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:09:53 -0300 Subject: [PATCH 02/10] feat: rebased the main branch --- .github/workflows/pr-comment-audit.yaml | 33 ------------------- .../workflows/pr-conventional-commits.yaml | 20 +++++++++++ 2 files changed, 20 insertions(+), 33 deletions(-) delete mode 100644 .github/workflows/pr-comment-audit.yaml diff --git a/.github/workflows/pr-comment-audit.yaml b/.github/workflows/pr-comment-audit.yaml deleted file mode 100644 index 1439f09d..00000000 --- a/.github/workflows/pr-comment-audit.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Comment vulnerabilities on Pull Requests -on: - pull_request: - branches: - - '*' - types: - - opened - - reopened - - edited - - synchronize -permissions: - contents: read - -jobs: - comment-audit: - runs-on: ubuntu-latest - permissions: - pull-requests: write - needs: build - steps: - - - name: Download artifact from Build - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 - #if: steps.audit-packages.outputs.exit_code == 1 - with: - name: vulnerabilities.txt - - - name: comment PR - id: comment-pr - run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt - #if: steps.audit-packages.outputs.exit_code == 1 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index ad73472a..faa5ed19 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -53,3 +53,23 @@ jobs: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} + + comment-audit: + runs-on: ubuntu-latest + permissions: + pull-requests: write + needs: build + steps: + + - name: Download artifact from Build + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 + #if: steps.audit-packages.outputs.exit_code == 1 + with: + name: vulnerabilities.txt + + - name: comment PR + id: comment-pr + run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt + #if: steps.audit-packages.outputs.exit_code == 1 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 77b6104789b19571e27dad987f2101817f33d727 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:11:14 -0300 Subject: [PATCH 03/10] feat: rebased the main branch --- .github/workflows/pr-conventional-commits.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index faa5ed19..6c7c2008 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -58,7 +58,7 @@ jobs: runs-on: ubuntu-latest permissions: pull-requests: write - needs: build + needs: [build] steps: - name: Download artifact from Build From d2679f0c752aacf05dc6c0fee185168ea6443541 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:13:25 -0300 Subject: [PATCH 04/10] feat: rebased the main branch --- .github/workflows/pr-change-set.yaml | 20 +++++++++++++++++ .../workflows/pr-conventional-commits.yaml | 22 +------------------ 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index c4814f97..a4504a01 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -18,3 +18,23 @@ jobs: uses: ./.github/workflows/build.yaml permissions: contents: read + + comment-audit: + runs-on: ubuntu-latest + permissions: + pull-requests: write + needs: build + steps: + + - name: Download artifact from Build + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 + #if: steps.audit-packages.outputs.exit_code == 1 + with: + name: vulnerabilities.txt + + - name: comment PR + id: comment-pr + run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt + #if: steps.audit-packages.outputs.exit_code == 1 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 6c7c2008..4b6822f2 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -52,24 +52,4 @@ jobs: env: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} - PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} - - comment-audit: - runs-on: ubuntu-latest - permissions: - pull-requests: write - needs: [build] - steps: - - - name: Download artifact from Build - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 - #if: steps.audit-packages.outputs.exit_code == 1 - with: - name: vulnerabilities.txt - - - name: comment PR - id: comment-pr - run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt - #if: steps.audit-packages.outputs.exit_code == 1 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} \ No newline at end of file From 3f6eff9fd213c5cf6602f6321fff95cabd1539f1 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:17:28 -0300 Subject: [PATCH 05/10] feat: rebased the main branch --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 015439fd..9cad7406 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -117,6 +117,7 @@ jobs: - name: Compute package hash if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON id: compute-hash + continue-on-error: true shell: bash run: | set -euo pipefail From 563de0106ba570d9eae88619b1b3f255a23cd997 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:22:37 -0300 Subject: [PATCH 06/10] feat: rebased the main branch --- .github/workflows/build.yaml | 7 ++----- .github/workflows/pr-change-set.yaml | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9cad7406..596e4490 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -43,8 +43,7 @@ jobs: matrix: # It is recommended to pin a Runner version specifically: # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners - #os: [ubuntu-latest, macos-latest, windows-latest] - os: [ubuntu-latest] + os: [ubuntu-latest, macos-latest, windows-latest] python: ['3.9', '3.10'] steps: @@ -88,14 +87,13 @@ jobs: path: . if-no-files-found: error retention-days: 1 - #if: steps.audit-packages.outputs.exit_code == 1 + if: steps.audit-packages.outputs.exit_code == 1 # Build the sdist and wheel distribution of the package and docs as a zip file. # We don't need to check and test the package separately because `make dist` runs # those targets first and only builds the package if they succeed. - name: Build the package run: make dist - continue-on-error: true # Generate the requirements.txt that contains the hash digests of the dependencies and # generate the SBOM using CyclonDX SBOM generator. @@ -117,7 +115,6 @@ jobs: - name: Compute package hash if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON id: compute-hash - continue-on-error: true shell: bash run: | set -euo pipefail diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index a4504a01..a0eaf800 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -28,13 +28,13 @@ jobs: - name: Download artifact from Build uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 - #if: steps.audit-packages.outputs.exit_code == 1 + if: steps.audit-packages.outputs.exit_code == 1 with: name: vulnerabilities.txt - name: comment PR id: comment-pr run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt - #if: steps.audit-packages.outputs.exit_code == 1 + if: steps.audit-packages.outputs.exit_code == 1 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 67b6ad315ab742ca26eb5c23d1967c56173d7c0d Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:23:53 -0300 Subject: [PATCH 07/10] feat: rebased the main branch --- .github/workflows/pr-conventional-commits.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 4b6822f2..6d0e4b91 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -52,4 +52,5 @@ jobs: env: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} - PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} \ No newline at end of file + PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} + \ No newline at end of file From caa6e3119c6606633d3f788c752dd4e03bb47f94 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 19:24:28 -0300 Subject: [PATCH 08/10] feat: rebased the main branch --- .github/workflows/pr-conventional-commits.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 6d0e4b91..4b6822f2 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -52,5 +52,4 @@ jobs: env: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} - PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} - \ No newline at end of file + PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} \ No newline at end of file From 486ac05808c10c70acd5477c56c1e01a262b6728 Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 20:25:17 -0300 Subject: [PATCH 09/10] feat: pretty format YAML file --- .github/workflows/pr-change-set.yaml | 8 ++++---- .github/workflows/pr-conventional-commits.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index a0eaf800..a8ff72fc 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -22,19 +22,19 @@ jobs: comment-audit: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write needs: build steps: - name: Download artifact from Build uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 - if: steps.audit-packages.outputs.exit_code == 1 + if: steps.audit-packages.outputs.exit_code == 1 with: name: vulnerabilities.txt - + - name: comment PR id: comment-pr run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt if: steps.audit-packages.outputs.exit_code == 1 env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 4b6822f2..ad73472a 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -52,4 +52,4 @@ jobs: env: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} - PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} \ No newline at end of file + PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} From 0ad2fd36f0e9bfc4bb0018c2022faeeba5bce0ef Mon Sep 17 00:00:00 2001 From: eduardo-getpassport Date: Tue, 15 Nov 2022 22:09:16 -0300 Subject: [PATCH 10/10] feat: changed name on vulnerabilities file --- .github/workflows/build.yaml | 5 ++--- .github/workflows/pr-change-set.yaml | 6 +++--- .gitignore | 4 ++++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 596e4490..4176f9eb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -76,14 +76,13 @@ jobs: - name: Audit installed packages id: audit-packages continue-on-error: true - run: make --silent audit > vulnerabilities.txt + run: make --silent audit > pip-audit-vulnerabilities.txt # Upload the vulnerabilities file output. - name: Upload Artifact - id: upload-audit-artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb #v3.1.1 with: - name: vulnerabilities.txt + name: pip-audit-vulnerabilities.txt path: . if-no-files-found: error retention-days: 1 diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index a8ff72fc..14c13a82 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -30,11 +30,11 @@ jobs: uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 if: steps.audit-packages.outputs.exit_code == 1 with: - name: vulnerabilities.txt + name: pip-audit-vulnerabilities.txt - - name: comment PR + - name: Comment on PR id: comment-pr - run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt + run: gh pr comment ${{ github.event.number }} --body-file pip-audit-vulnerabilities.txt if: steps.audit-packages.outputs.exit_code == 1 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index fe324aff..bff0fa50 100644 --- a/.gitignore +++ b/.gitignore @@ -132,3 +132,7 @@ dmypy.json # Pyre type checker .pyre/ + +# pip audit vulnerabilities file + +pip-audit-vulnerabilities.txt