From 40af3ff0b2be40d6b575bf175a42da06bd491013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Fri, 17 Jan 2025 14:03:16 +0100 Subject: [PATCH 01/14] Fixing issue with Python 3.7 in GitHub actions --- .github/workflows/pip-audit.yml | 40 ++++++++++++++++- .github/workflows/pre-commit.yml | 73 +++++++++++++++++++++++++++++++- 2 files changed, 111 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index d9aa4e5c..bdeec119 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -10,7 +10,45 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [ "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] + python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] + name: pip-audit python ${{ matrix.python-version }} + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + cache: 'pip' + cache-dependency-path: | + requirements.txt + architecture: x64 + - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' + run: | + pip install --upgrade pip wheel + pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt +# - name: 'Freeze Python ${{ matrix.python-version }} constraints' +# run: | +# pip freeze > constraints-${{ matrix.python-version }}.txt + - id: gen-cve-output + uses: pypa/gh-action-pip-audit@v1.1.0 + - name: show_markdown + run: | + # echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}" + # echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md + # echo "saved." + type -a pip-audit + cat < constraints-${{ matrix.python-version }}.txt + - run: | + pip install -r dev-requirements.txt -r mypy-requirements.txt -c constraints-${{ matrix.python-version }}.txt + - name: MyPy cache + uses: actions/cache@v3 + with: + path: .mypy_cache/${{ matrix.python-version }} + key: mypy-${{ matrix.python-version }} + - name: 'pre-commit' + uses: pre-commit/action@v3.0.1 +# if: ${{ matrix.python-version != '3.6' }} + with: + extra_args: --all -c .pre-commit-config.yaml + # - name: 'pre-commit (custom Python ${{ matrix.python-version }})' + # uses: pre-commit/action@v3.0.0 + # if: ${{ matrix.python-version == '3.6' }} + # with: + # extra_args: --all -c .pre-commit-config-gh-${{ matrix.python-version }}.yaml + - name: Check transitive dependencies licences + id: license_check_report +# uses: pilosus/action-pip-license-checker@v1.0.0 +# continue-on-error: true + uses: pilosus/action-pip-license-checker@v2.0.0 + with: + requirements: constraints-${{ matrix.python-version }}.txt + fail: 'StrongCopyleft' + exclude: 'pylint.*' + - name: Print licences report + if: ${{ always() }} + run: echo "${{ steps.license_check_report.outputs.report }}" + - uses: actions/upload-artifact@v3 + with: + retention-days: 2 + path: constraints-${{ matrix.python-version }}.txt + + pre-commit-22_04: + runs-on: ubuntu-22.04 + strategy: + matrix: + python-version: [ "3.7" ] name: Pre-commit python ${{ matrix.python-version }} steps: - uses: actions/checkout@v4 @@ -85,6 +155,7 @@ jobs: name: Pull request with the newly generated contents needs: - pre-commit + - pre-commit-22_04 steps: - uses: actions/checkout@v3 - uses: actions/download-artifact@v3 From 96f08d6c4715c76bcb77781aa669ec2cb1965da3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Fri, 17 Jan 2025 14:09:13 +0100 Subject: [PATCH 02/14] Testing unconditionally defined steps --- .github/workflows/pip-audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index bdeec119..07174eae 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -31,6 +31,7 @@ jobs: - id: gen-cve-output uses: pypa/gh-action-pip-audit@v1.1.0 - name: show_markdown + if: always() run: | # echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}" # echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md From 2118cc9d51e842fa140c9dcdb4079bc49df4460a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Fri, 17 Jan 2025 14:18:14 +0100 Subject: [PATCH 03/14] Exploring whether the environment has been altered with the installation of pip-audit --- .github/workflows/pip-audit.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 07174eae..3ad06d15 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -31,15 +31,13 @@ jobs: - id: gen-cve-output uses: pypa/gh-action-pip-audit@v1.1.0 - name: show_markdown - if: always() + if: success() || failure() run: | # echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}" # echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md # echo "saved." - type -a pip-audit - cat < Date: Fri, 17 Jan 2025 17:09:49 +0100 Subject: [PATCH 04/14] Next iteration to try fixing the detected security issues --- .github/workflows/pip-audit.yml | 155 ++++++++++++++++++++------------ 1 file changed, 99 insertions(+), 56 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 3ad06d15..13f269f3 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -23,26 +23,46 @@ jobs: architecture: x64 - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' run: | + python -mvenv /tmp/PIPAUDIT + source /tmp/PIPAUDIT/bin/activate pip install --upgrade pip wheel pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt + pip install pip-audit -c constraints-${{ matrix.python-version }}.txt # - name: 'Freeze Python ${{ matrix.python-version }} constraints' # run: | # pip freeze > constraints-${{ matrix.python-version }}.txt - id: gen-cve-output - uses: pypa/gh-action-pip-audit@v1.1.0 - - name: show_markdown - if: success() || failure() run: | - # echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}" - # echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md - # echo "saved." - pip freeze - echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} | base64 -d -# - uses: actions/upload-artifact@v3 -# with: -# retention-days: 2 -# path: constraints-${{ matrix.python-version }}.txt -# + source /tmp/PIPAUDIT/bin/activate + pip-audit -f markdown -o /tmp/report-before.md + refreeze=$? + if [ "$refreeze" != 0 ] ; then + deactivate + python -mvenv /tmp/PIPFREEZE + source /tmp/PIPFREEZE/bin/activate + pip install --upgrade pip wheel + pip install -r requirements.txt + pip freeze > constraints-${{ matrix.python-version }}.txt + + # Re-audit the populated environment + pip install pip-audit -c constraints-${{ matrix.python-version }}.txt + pip-audit -f markdown -o /tmp/report-after.md + auditres=$? + + if [ "$auditres" = 0 ] ; then + echo -n "output=" >> "$GITHUB_OUTPUT" + (echo "# Fixed issues" ; cat /tmp/report-before.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + else + # Time to emit the report + echo -n "output=" >> "$GITHUB_OUTPUT" + (echo "# Issues not solved" ; cat /tmp/report-after.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + fi + fi + - uses: actions/upload-artifact@v3 + with: + retention-days: 2 + path: constraints-${{ matrix.python-version }}.txt + pip-audit-22_04: runs-on: ubuntu-22.04 strategy: @@ -60,53 +80,76 @@ jobs: architecture: x64 - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' run: | + python -mvenv /tmp/PIPAUDIT + source /tmp/PIPAUDIT/bin/activate pip install --upgrade pip wheel pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt + pip install pip-audit -c constraints-${{ matrix.python-version }}.txt # - name: 'Freeze Python ${{ matrix.python-version }} constraints' # run: | # pip freeze > constraints-${{ matrix.python-version }}.txt - id: gen-cve-output - uses: pypa/gh-action-pip-audit@v1.1.0 - - name: show_markdown run: | - # echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}" - # echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md - # echo "saved." - type -a pip-audit - cat < constraints-${{ matrix.python-version }}.txt + + # Re-audit the populated environment + pip install pip-audit -c constraints-${{ matrix.python-version }}.txt + pip-audit -f markdown -o /tmp/report-after.md + auditres=$? + + if [ "$auditres" = 0 ] ; then + echo -n "output=" >> "$GITHUB_OUTPUT" + (echo "# Fixed issues" ; cat /tmp/report-before.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + else + # Time to emit the report + echo -n "output=" >> "$GITHUB_OUTPUT" + (echo "# Issues not solved" ; cat /tmp/report-after.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + fi + fi + - uses: actions/upload-artifact@v3 + with: + retention-days: 2 + path: constraints-${{ matrix.python-version }}.txt + + pull_request_changes: + # Do this only when it is not a pull request validation + if: github.event_name != 'pull_request' + runs-on: ubuntu-latest + name: Pull request with the newly generated contents + needs: + - pip-audit + - pip-audit-22_04 + steps: + - name: Get analysis timestamp + id: timestamp + run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT" + - uses: actions/checkout@v3 + - uses: actions/download-artifact@v3 + with: + path: changes-dir + - name: Move artifacts to their right place + run: | + cp -dpr changes-dir/artifact/* . + rm -r changes-dir/artifact + - name: Create Pull Request + id: cpr + uses: peter-evans/create-pull-request@v5 + with: + title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) + branch: create-pull-request/patch-audit-constraints + delete-branch: true + commit-message: "[create-pull-request] Automatically propose updated constraints" + - name: Check outputs + if: ${{ steps.cpr.outputs.pull-request-number }} + run: | + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" From 4e737550ee875ea706f50c72f46f479eb0242d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Fri, 17 Jan 2025 17:14:36 +0100 Subject: [PATCH 05/14] Deactivating to stop in an error of the bundle --- .github/workflows/pip-audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 13f269f3..8a3558ca 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -91,6 +91,7 @@ jobs: - id: gen-cve-output run: | source /tmp/PIPAUDIT/bin/activate + set +e pip-audit -f markdown -o /tmp/report-before.md refreeze=$? if [ "$refreeze" != 0 ] ; then From 896bf04183a09b7a2bcac96ac69535ff9dc78308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Fri, 17 Jan 2025 17:22:40 +0100 Subject: [PATCH 06/14] Summary emission now properly performed --- .github/workflows/pip-audit.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 8a3558ca..2ff35da2 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -34,6 +34,7 @@ jobs: - id: gen-cve-output run: | source /tmp/PIPAUDIT/bin/activate + set +e pip-audit -f markdown -o /tmp/report-before.md refreeze=$? if [ "$refreeze" != 0 ] ; then @@ -50,12 +51,10 @@ jobs: auditres=$? if [ "$auditres" = 0 ] ; then - echo -n "output=" >> "$GITHUB_OUTPUT" - (echo "# Fixed issues" ; cat /tmp/report-before.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" else # Time to emit the report - echo -n "output=" >> "$GITHUB_OUTPUT" - (echo "# Issues not solved" ; cat /tmp/report-after.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" fi fi - uses: actions/upload-artifact@v3 @@ -108,12 +107,10 @@ jobs: auditres=$? if [ "$auditres" = 0 ] ; then - echo -n "output=" >> "$GITHUB_OUTPUT" - (echo "# Fixed issues" ; cat /tmp/report-before.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" else # Time to emit the report - echo -n "output=" >> "$GITHUB_OUTPUT" - (echo "# Issues not solved" ; cat /tmp/report-after.md) | base64 -w 0 >> "$GITHUB_OUTPUT" + (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" fi fi - uses: actions/upload-artifact@v3 From 314f8b08455cc30fc7fab0ba89b64c21db9d72b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 02:19:52 +0100 Subject: [PATCH 07/14] Testing yaml anchors with GitHub actions --- .github/workflows/pip-audit.yml | 66 ++++++--------------------------- 1 file changed, 11 insertions(+), 55 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 2ff35da2..a4e3ff1b 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -12,7 +12,7 @@ jobs: matrix: python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] name: pip-audit python ${{ matrix.python-version }} - steps: + steps: &idsteps - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: @@ -26,8 +26,7 @@ jobs: python -mvenv /tmp/PIPAUDIT source /tmp/PIPAUDIT/bin/activate pip install --upgrade pip wheel - pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt - pip install pip-audit -c constraints-${{ matrix.python-version }}.txt + pip install pip-audit # - name: 'Freeze Python ${{ matrix.python-version }} constraints' # run: | # pip freeze > constraints-${{ matrix.python-version }}.txt @@ -35,8 +34,10 @@ jobs: run: | source /tmp/PIPAUDIT/bin/activate set +e - pip-audit -f markdown -o /tmp/report-before.md + pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md refreeze=$? + set -e + if [ "$refreeze" != 0 ] ; then deactivate python -mvenv /tmp/PIPFREEZE @@ -46,9 +47,12 @@ jobs: pip freeze > constraints-${{ matrix.python-version }}.txt # Re-audit the populated environment - pip install pip-audit -c constraints-${{ matrix.python-version }}.txt - pip-audit -f markdown -o /tmp/report-after.md + deactivate + source /tmp/PIPAUDIT/bin/activate + set +e + pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md auditres=$? + set -e if [ "$auditres" = 0 ] ; then (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" @@ -68,55 +72,7 @@ jobs: matrix: python-version: [ "3.7" ] name: pip-audit python ${{ matrix.python-version }} - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.python-version }} - cache: 'pip' - cache-dependency-path: | - requirements.txt - architecture: x64 - - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' - run: | - python -mvenv /tmp/PIPAUDIT - source /tmp/PIPAUDIT/bin/activate - pip install --upgrade pip wheel - pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt - pip install pip-audit -c constraints-${{ matrix.python-version }}.txt -# - name: 'Freeze Python ${{ matrix.python-version }} constraints' -# run: | -# pip freeze > constraints-${{ matrix.python-version }}.txt - - id: gen-cve-output - run: | - source /tmp/PIPAUDIT/bin/activate - set +e - pip-audit -f markdown -o /tmp/report-before.md - refreeze=$? - if [ "$refreeze" != 0 ] ; then - deactivate - python -mvenv /tmp/PIPFREEZE - source /tmp/PIPFREEZE/bin/activate - pip install --upgrade pip wheel - pip install -r requirements.txt - pip freeze > constraints-${{ matrix.python-version }}.txt - - # Re-audit the populated environment - pip install pip-audit -c constraints-${{ matrix.python-version }}.txt - pip-audit -f markdown -o /tmp/report-after.md - auditres=$? - - if [ "$auditres" = 0 ] ; then - (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" - else - # Time to emit the report - (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" - fi - fi - - uses: actions/upload-artifact@v3 - with: - retention-days: 2 - path: constraints-${{ matrix.python-version }}.txt + steps: *idsteps pull_request_changes: # Do this only when it is not a pull request validation From fa8151d4a52a9ba8cf487891a51287c49d4077a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 02:22:09 +0100 Subject: [PATCH 08/14] GitHub Actions do not support yaml anchors (yet!) --- .github/workflows/pip-audit.yml | 56 +++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index a4e3ff1b..786c9fc7 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -12,7 +12,7 @@ jobs: matrix: python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] name: pip-audit python ${{ matrix.python-version }} - steps: &idsteps + steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: @@ -72,7 +72,59 @@ jobs: matrix: python-version: [ "3.7" ] name: pip-audit python ${{ matrix.python-version }} - steps: *idsteps + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + cache: 'pip' + cache-dependency-path: | + requirements.txt + architecture: x64 + - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' + run: | + python -mvenv /tmp/PIPAUDIT + source /tmp/PIPAUDIT/bin/activate + pip install --upgrade pip wheel + pip install pip-audit +# - name: 'Freeze Python ${{ matrix.python-version }} constraints' +# run: | +# pip freeze > constraints-${{ matrix.python-version }}.txt + - id: gen-cve-output + run: | + source /tmp/PIPAUDIT/bin/activate + set +e + pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md + refreeze=$? + set -e + + if [ "$refreeze" != 0 ] ; then + deactivate + python -mvenv /tmp/PIPFREEZE + source /tmp/PIPFREEZE/bin/activate + pip install --upgrade pip wheel + pip install -r requirements.txt + pip freeze > constraints-${{ matrix.python-version }}.txt + + # Re-audit the populated environment + deactivate + source /tmp/PIPAUDIT/bin/activate + set +e + pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md + auditres=$? + set -e + + if [ "$auditres" = 0 ] ; then + (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" + else + # Time to emit the report + (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" + fi + fi + - uses: actions/upload-artifact@v3 + with: + retention-days: 2 + path: constraints-${{ matrix.python-version }}.txt pull_request_changes: # Do this only when it is not a pull request validation From 084209711f7a534e3e64c5c8fb66b5bc84c8c686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 03:41:25 +0100 Subject: [PATCH 09/14] Upgrading CI artifact related steps to latest version. Also, trying to generate a more meaningful pull request body --- .github/workflows/pip-audit.yml | 46 ++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 786c9fc7..0c3e5147 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -14,7 +14,7 @@ jobs: name: pip-audit python ${{ matrix.python-version }} steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -55,16 +55,22 @@ jobs: set -e if [ "$auditres" = 0 ] ; then - (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" + echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md + cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md else # Time to emit the report - (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" + echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md + cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md fi + cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY" fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: + name: audit-${{ matrix.python-version }} retention-days: 2 - path: constraints-${{ matrix.python-version }}.txt + path: | + constraints-${{ matrix.python-version }}.txt + audit-report-${{ matrix.python-version }}.md pip-audit-22_04: runs-on: ubuntu-22.04 @@ -74,7 +80,7 @@ jobs: name: pip-audit python ${{ matrix.python-version }} steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -115,16 +121,22 @@ jobs: set -e if [ "$auditres" = 0 ] ; then - (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" + echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md + cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md else # Time to emit the report - (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" + echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md + cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md fi + cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY" fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: + name: audit-${{ matrix.python-version }} retention-days: 2 - path: constraints-${{ matrix.python-version }}.txt + path: | + constraints-${{ matrix.python-version }}.txt + audit-report-${{ matrix.python-version }}.md pull_request_changes: # Do this only when it is not a pull request validation @@ -138,22 +150,26 @@ jobs: - name: Get analysis timestamp id: timestamp run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT" - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v4 with: + pattern: audit-* + merge-multiple: true path: changes-dir - name: Move artifacts to their right place run: | - cp -dpr changes-dir/artifact/* . + cp -dpr changes-dir/artifact/constraints-*.txt . + cat changes-dir/artifact/audit-report-*.md > /tmp/pull-body.md rm -r changes-dir/artifact - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v7 with: title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) branch: create-pull-request/patch-audit-constraints delete-branch: true - commit-message: "[create-pull-request] Automatically propose updated constraints" + commit-message: "[create-pull-request] Automatically updated constraints due security reasons" + body-path: /tmp/pull-body.md - name: Check outputs if: ${{ steps.cpr.outputs.pull-request-number }} run: | From 5b19091409650dc6a6135e35512c9ee3331b5f4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 03:59:37 +0100 Subject: [PATCH 10/14] Fixing pull request artifacts integration --- .github/workflows/pip-audit.yml | 35 ++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 0c3e5147..0bf44594 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -152,18 +152,43 @@ jobs: run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT" - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 + id: download with: pattern: audit-* merge-multiple: true path: changes-dir - name: Move artifacts to their right place + id: move run: | - cp -dpr changes-dir/artifact/constraints-*.txt . - cat changes-dir/artifact/audit-report-*.md > /tmp/pull-body.md - rm -r changes-dir/artifact + skip=true + if [ -d "${{steps.download.outputs.download-path}}" ] ; then + for con in "${{steps.download.outputs.download-path}}"/constraints-*.txt ; do + case "$con" in + */"constraints-*.txt") + break + ;; + *) + cp -p "$con" . + skip=false + ;; + esac + done + for aud in "${{steps.download.outputs.download-path}}"/audit-*.txt ; do + case "$aud" in + */"audit-*.txt") + break + ;; + *) + cat "$con" >> /tmp/pull-body.md + ;; + esac + done + fi + echo "skip=$skip" >> "$GITHUB_OUTPUT" - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@v7 + if: steps.move.outputs.skip == 'false' with: title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) branch: create-pull-request/patch-audit-constraints @@ -173,5 +198,5 @@ jobs: - name: Check outputs if: ${{ steps.cpr.outputs.pull-request-number }} run: | - echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" - echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" >> "$GITHUB_STEP_SUMMARY" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> "$GITHUB_STEP_SUMMARY" From f59cfe58978acd4eb5399247d902be2f6fbbde0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 04:04:11 +0100 Subject: [PATCH 11/14] Fixed location of body path for the generated pull request --- .github/workflows/pip-audit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 0bf44594..72589738 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -179,7 +179,7 @@ jobs: break ;; *) - cat "$con" >> /tmp/pull-body.md + cat "$con" >> pull-body.md ;; esac done @@ -192,9 +192,10 @@ jobs: with: title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) branch: create-pull-request/patch-audit-constraints + add-paths: constraints-*.txt delete-branch: true commit-message: "[create-pull-request] Automatically updated constraints due security reasons" - body-path: /tmp/pull-body.md + body-path: pull-body.md - name: Check outputs if: ${{ steps.cpr.outputs.pull-request-number }} run: | From da2acb94dc50a59bff68a70fa74c3c8431af54d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 04:20:13 +0100 Subject: [PATCH 12/14] Try finding clues about why the pull request integration code is failing --- .github/workflows/pip-audit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 72589738..2e4d8071 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -164,7 +164,7 @@ jobs: if [ -d "${{steps.download.outputs.download-path}}" ] ; then for con in "${{steps.download.outputs.download-path}}"/constraints-*.txt ; do case "$con" in - */"constraints-*.txt") + */constraints-\*.txt) break ;; *) @@ -175,7 +175,7 @@ jobs: done for aud in "${{steps.download.outputs.download-path}}"/audit-*.txt ; do case "$aud" in - */"audit-*.txt") + */audit-\*.txt) break ;; *) @@ -184,6 +184,7 @@ jobs: esac done fi + ls -l echo "skip=$skip" >> "$GITHUB_OUTPUT" - name: Create Pull Request id: cpr From d3e6fdf6f5fcb3db2f7a2db4b82e7d11c31387e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 04:24:04 +0100 Subject: [PATCH 13/14] (Hopefully) fixed issue gathering all the auditing reports for the pull request body generation --- .github/workflows/pip-audit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 2e4d8071..9015b772 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -173,9 +173,9 @@ jobs: ;; esac done - for aud in "${{steps.download.outputs.download-path}}"/audit-*.txt ; do + for aud in "${{steps.download.outputs.download-path}}"/audit-report*.md ; do case "$aud" in - */audit-\*.txt) + */audit-report-\*.md) break ;; *) From c2d153a16c7ecc70f6a6d899cbbba94ca224ae40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20M=C2=AA=20Fern=C3=A1ndez?= Date: Mon, 20 Jan 2025 04:27:14 +0100 Subject: [PATCH 14/14] Fixing appending wrong file to the pull request report --- .github/workflows/pip-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 9015b772..cb4c946b 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -179,7 +179,7 @@ jobs: break ;; *) - cat "$con" >> pull-body.md + cat "$aud" >> pull-body.md ;; esac done