fix: update secrets baseline

RustamovAkrom · RustamovAkrom · commit 03059ae33e24 · 2025-12-11T00:36:01.000+05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,6 @@
 name: CI Pipeline
 
+# Триггеры для CI
 on:
   push:
     branches: [main]
@@ -14,20 +15,24 @@ jobs:
         python-version: [3.12]
 
     steps:
+      # 1️⃣ Checkout проекта
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      # 2️⃣ Настройка Python и кеширование pip
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
 
+      # 3️⃣ Установка UV и зависимостей
       - name: Install UV
         run: |
           python -m pip install --upgrade pip
           pip install uv
 
+      # 4️⃣ Кешируем virtualenv UV для ускорения повторных запусков
       - name: Cache UV virtualenv
         uses: actions/cache@v4
         with:
@@ -38,9 +43,11 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-uv-
 
+      # 5️⃣ Синхронизация зависимостей проекта через UV
       - name: Sync dependencies
         run: uv sync
 
+      # 6️⃣ Pre-commit checks (форматирование, линтеры и проверки безопасности)
       - name: Run Pre-commit checks
         uses: pre-commit/action@v3.0.0
         with:
@@ -49,36 +56,42 @@ jobs:
       - name: Clear pre-commit cache
         run: pre-commit clean
 
+      # 7️⃣ Статическая проверка типизации
       - name: Run Mypy
         run: uv run mypy src/
 
+      # 8️⃣ Линтер
       - name: Run Ruff
         run: uv run ruff check src/
 
+      # 9️⃣ Тесты проекта
       - name: Run Tests
         env:
           ENV: test
           MAIL_USERNAME: test@example.com
           MAIL_PASSWORD: testpass
         run: uv run pytest -v --disable-warnings --maxfail=1
-      
-      # - name: Install security tools
-      #   run: |
-      #     python -m pip install --upgrade pip
-      #     pip install pip-audit bandit safety
 
+      # 🔒 10️⃣ Аудит безопасности зависимостей
       - name: Dependency security audit (pip-audit)
-        run: |
-          pip-audit --format=human
+        run: uv run pip-audit --format=human
 
       - name: Static security scan (Bandit)
-        run: |
-          bandit -r src -ll
+        run: uv run bandit -r src -ll
 
-      - name: Safety check (optional)
-        run: |
-          safety check
+      - name: Safety scan
+        run: uv run safety scan
+
+      # 11️⃣ CodeQL security scanning
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
 
+      # 12️⃣ Сохраняем кэш pytest при падении тестов
       - name: Upload pytest cache
         if: failure()
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -6,27 +6,31 @@ on:
   pull_request:
     branches: [ main ]
   schedule:
-    - cron: "0 3 * * 0"
+    - cron: '0 0 * * 0'  # опционально, раз в неделю
 
 jobs:
-  analyze:
-    name: Analyze (CodeQL)
+  codeql:
+    name: Analyze
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]  # укажи нужные языки
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+    - name: Checkout repository
+      uses: actions/checkout@v3
 
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: python
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
 
-      - name: Autobuild (if needed)
-        uses: github/codeql-action/autobuild@v2
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
 
-      - name: Run CodeQL analysis
-        uses: github/codeql-action/analyze@v2
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -90,6 +90,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -152,7 +156,7 @@
         "filename": ".github\\workflows\\ci.yml",
         "hashed_secret": "206c80413b9a96c1312cc346b7d2517b84463edd",
         "is_verified": false,
-        "line_number": 62
+        "line_number": 72
       }
     ],
     "README.md": [
@@ -228,5 +232,5 @@
       }
     ]
   },
-  "generated_at": "2025-12-10T18:38:20Z"
+  "generated_at": "2025-12-10T19:35:10Z"
 }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,10 @@`
`90`	`90`	`{`
`91`	`91`	`"path": "detect_secrets.filters.allowlist.is_line_allowlisted"`
`92`	`92`	`},`
	`93`	`+ {`
	`94`	`+ "path": "detect_secrets.filters.common.is_baseline_file",`
	`95`	`+ "filename": ".secrets.baseline"`
	`96`	`+ },`
`93`	`97`	`{`
`94`	`98`	`"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",`
`95`	`99`	`"min_level": 2`
`@@ -152,7 +156,7 @@`
`152`	`156`	`"filename": ".github\\workflows\\ci.yml",`
`153`	`157`	`"hashed_secret": "206c80413b9a96c1312cc346b7d2517b84463edd",`
`154`	`158`	`"is_verified": false,`
`155`		`- "line_number": 62`
	`159`	`+ "line_number": 72`
`156`	`160`	`}`
`157`	`161`	`],`
`158`	`162`	`"README.md": [`
`@@ -228,5 +232,5 @@`
`228`	`232`	`}`
`229`	`233`	`]`
`230`	`234`	`},`
`231`		`- "generated_at": "2025-12-10T18:38:20Z"`
	`235`	`+ "generated_at": "2025-12-10T19:35:10Z"`
`232`	`236`	`}`