Skip to content

Commit

Permalink
chore: more remediations from oss scorecard
Browse files Browse the repository at this point in the history
- [x] github action versions via hashes
- [x] switch from pip to pipenv
  - seems to handle hashes better and has a lock file

Signed-off-by: jmeridth <[email protected]>
  • Loading branch information
jmeridth committed May 6, 2024
1 parent 288845d commit 642d523
Show file tree
Hide file tree
Showing 9 changed files with 701 additions and 27 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/linter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ jobs:
fetch-depth: 0
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-test.txt
python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
pipenv install --deploy --dev --system
- name: Lint Code Base
uses: super-linter/super-linter@4758be622215d0954c8353ee4877ffd60111cf8e
env:
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/python-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,12 @@ jobs:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-test.txt
- name: Lint with flake8 and pylint
python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
pipenv install --deploy --dev --system
- name: Lint with super-linter
run: |
make lint
pipenv run lint
- name: Test with pytest
run: |
make test
pipenv run test
22 changes: 20 additions & 2 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,30 @@ on:
- cron: '29 11 * * 6'
push:
branches: ["main"]
pull_request:
branches: ["main"]

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
pull-request-analysis:
if : github.event_name == 'pull_request'
name: Pull Request Scorecard analysis
runs-on: ubuntu-latest
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: false
merge-to-main-analysis:
if : github.event_name == 'push' && github.ref == 'refs/heads/main'
name: Merge to Main Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ LABEL com.github.actions.name="stale-repos" \
org.opencontainers.image.description="Find stale repositories in a GitHub organization."

WORKDIR /action/workspace
COPY requirements.txt stale_repos.py /action/workspace/
COPY Pipfile Pipfile.lock stale_repos.py /action/workspace/

RUN python3 -m pip install --no-cache-dir -r requirements.txt \
RUN python3 -m pip install --no-cache-dir pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01 \
&& apt-get -y update \
&& apt-get -y install --no-install-recommends git-all=1:2.39.2-1.1 \
&& rm -rf /var/lib/apt/lists/*
Expand Down
30 changes: 30 additions & 0 deletions Pipfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[scripts]
test = "make test"
lint = "make lint"
clean = "make clean"

[packages]
"github3.py" = "==4.0.1"
pyjwt = "==2.8.0"
python-dotenv = "==1.0.1"
python-dateutil = "==2.9.0.post0"

[dev-packages]
black = "==24.4.2"
dill = "==0.3.8"
exceptiongroup = "==1.2.1"
flake8 = "==7.0.0"
mypy = "==1.10.0"
mypy-extensions = "==1.0.0"
pylint = "==3.1.0"
pytest = "==8.2.0"
pytest-cov = "==5.0.0"
tomli = "==2.0.1"
typing-extensions = "==4.11.0"
types-python-dateutil = "==2.9.0.20240316"
types-requests = "==2.31.0.20240406"
632 changes: 632 additions & 0 deletions Pipfile.lock

Large diffs are not rendered by default.

12 changes: 8 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -256,15 +256,19 @@ jobs:
1. (Optional) Fill out the `.env` file with the [repository topics](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) _exempt_topics_ that you want to filter out from the stale repos report. This should be a comma separated list of topics.
1. (Optional) Fill out the `.env` file with the exact _organization_ that you want to search in
1. (Optional) Fill out the `.env` file with the exact _URL_ of the GitHub Enterprise that you want to search in. Keep empty if you want to search in the public `github.com`.
1. `pip install -r requirements.txt`
1. `python3 -m pip install pipenv==2023.12.1`
1. `pipenv shell`
1. `pipenv install`
1. Run `python3 ./stale_repos.py`, which will output a list of repositories and the length of their inactivity

## Local testing without Docker

1. Have Python v3.9 or greater installed
1. `pip install -r requirements.txt -r requirements-test.txt`
1. `make lint`
1. `make test`
1. `pip install pipenv==2023.12.1`
1. `pipenv shell`
1. `pipenv install --dev`
1. `pipenv run lint`
1. `pipenv run test`

## License

Expand Down
9 changes: 0 additions & 9 deletions requirements-test.txt

This file was deleted.

3 changes: 0 additions & 3 deletions requirements.txt

This file was deleted.

0 comments on commit 642d523

Please sign in to comment.