Merge pull request #145 from EOPF-Explorer/security/permissions-and-blocking-checks

ci: add permissions block and make security checks blocking

Author: lhoupert

.github/dependabot.yml

@@ -15,6 +15,8 @@ updates:
     commit-message:
       prefix: "deps"
       include: "scope"
+    cooldown:
+      default-days: 7
 
   # Enable version updates for GitHub Actions
   - package-ecosystem: "github-actions"
@@ -31,3 +33,5 @@ updates:
     commit-message:
       prefix: "ci"
       include: "scope"
+    cooldown:
+      default-days: 7

.github/workflows/build_uv_cache.yml

@@ -11,13 +11,21 @@ on:
   schedule:
     - cron: "0 0 */5 * *"  # Every 5 days, before cache expiry
 
+permissions:
+  contents: read
+
 jobs:
   build-cache:
     runs-on: ubuntu-latest
-    
+    permissions:
+      contents: read
+      actions: write  # required by actions/cache/save
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
@@ -39,4 +47,4 @@ jobs:
             ~/.cache/uv
             ~/.local/share/uv
             .venv
-          key: uv-main-${{ hashFiles('uv.lock') }}
+          key: uv-main-${{ hashFiles('uv.lock') }}

.github/workflows/ci.yml

@@ -6,15 +6,23 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: '3.12'
-    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+    - name: Install pre-commit
+      run: pip install pre-commit
+    - name: Run pre-commit
+      run: pre-commit run --all-files
 
   test:
     runs-on: ${{ matrix.os }}
@@ -25,6 +33,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
 
     - name: Restore global uv cache
       id: cache-restore
@@ -69,31 +79,3 @@ jobs:
           ~/.local/share/uv
           .venv
         key: uv-main-${{ hashFiles('uv.lock') }}
-
-  security:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-
-    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-      with:
-        python-version: '3.12'
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install bandit safety
-
-    - name: Run security checks
-      run: |
-        bandit -r eopf_geozarr/ -f json -o bandit-report.json || true
-        safety check --json --output safety-report.json || true
-
-    - name: Upload security reports
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-      with:
-        name: security-reports
-        path: |
-          bandit-report.json
-          safety-report.json

.github/workflows/docs.yml

@@ -8,14 +8,19 @@ on:
     paths:
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     permissions:
-      contents: write
-      pages: write   
+      contents: write  # mkdocs gh-deploy pushes the site branch
+      pages: write  # GitHub Pages deployment
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -38,4 +43,10 @@ jobs:
 
     - name: Deploy docs
       if: github.event_name == 'push'
-      run: uv run -- mkdocs gh-deploy --force
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+        uv run -- mkdocs gh-deploy --force

.github/workflows/release-please.yml

@@ -6,12 +6,14 @@ on:
       - main
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # release-please creates releases and version bump commits
+      pull-requests: write  # release-please opens and updates release PRs
     steps:
       - name: Release Please
         id: release

.github/workflows/release.yml

@@ -4,11 +4,19 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -36,7 +44,8 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+      actions: read
+      id-token: write  # IMPORTANT: mandatory for trusted publishing to PyPI
 
     steps:
     - name: Download build artifacts

.github/workflows/security.yml

@@ -0,0 +1,26 @@
+name: Security Audit
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write  # action-python-security-auditing posts and updates PR comments
+    steps:
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
+    - uses: developmentseed/action-python-security-auditing@8ebea22ea75dfba2244ed9883c2aa6cb4df8d9a9 # v0.6.0
+      with:
+        package_manager: uv
+        bandit_scan_dirs: 'src/eopf_geozarr/'
+        artifact_name: security-reports

pyproject.toml

@@ -31,13 +31,13 @@ dependencies = [
     "pydantic>=2.12",
     "zarr>=3.1.1",
     "xarray>=2025.7.1",
-    "dask[array,distributed]>=2025.5.1",
+    "dask[array,distributed]>=2026.1.0",
     "numpy>=2.3.1",
     "rioxarray>=0.13.0",
     "cf-xarray>=0.8.0",
     "typing-extensions>=4.15.0",
     "zarr-cm>=0.2.0",
-    "aiohttp>=3.8.1",
+    "aiohttp>=3.13.3",
     "s3fs>=2024.6.0",
     "boto3>=1.34.0",
     "pyproj>=3.7.0",
@@ -51,7 +51,6 @@ dev = [
     "mypy>=1.0.0",
     "pre-commit>=3.0.0",
     "bandit[toml]>=1.7.0",
-    "safety>=2.0.0",
 ]
 test = [
     "jsondiff>=2.2.1",
@@ -221,5 +220,14 @@ skips = ["B101", "B601"]
 
 [tool.uv]
 default-groups = ["dev", "test"]
+constraint-dependencies = [
+    "urllib3>=2.6.3",
+    "requests>=2.33.0",
+    "cryptography>=46.0.6",
+    "tornado>=6.5.5",
+    "filelock>=3.20.3",
+    "virtualenv>=20.36.1",
+    "black>=26.3.1",
+]