Skip to content

Commit 6ddb01c

Browse files
TimChildclaude
andauthored
Refresh uv.lock for CVEs and add explicit CI permissions (closes #25) (#26)
* chore(deps): uv sync --upgrade to clear known CVEs Refreshes uv.lock to current dependency versions (reflex 0.8.20 -> 0.9.1, authlib 1.5.2 -> 1.6.11, requests, urllib3, cryptography, etc.) to pick up security fixes flagged in #25. Authlib 1.6 tightened the type signature on `jwt.decode`; pass a `KeySet` built via `JsonWebKey.import_key_set` instead of a raw `{"keys": [...]}` dict. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: declare explicit GITHUB_TOKEN permissions on workflows Addresses the second half of #25: GitHub flags workflows that rely on default token permissions. Adds minimal `permissions:` blocks — top-level `contents: read` for read-only CI, plus `pull-requests: read/write` on the jobs that fetch PR info or post status comments. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 3852e2a commit 6ddb01c

7 files changed

Lines changed: 1374 additions & 950 deletions

File tree

.github/workflows/_reusable-ci.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ on:
2626
jobs:
2727
ci:
2828
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
2931
strategy:
3032
matrix:
3133
python-versions: ["3.11", "3.12", "3.13"]

.github/workflows/ci-forks.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ concurrency:
1010
group: ${{ github.workflow }}-${{ github.ref }}
1111
cancel-in-progress: true
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
basic-checks:
1518
uses: ./.github/workflows/_reusable-ci.yml

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ concurrency:
1212
group: ${{ github.workflow }}-${{ github.ref }}
1313
cancel-in-progress: true
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
ci:
1720
uses: ./.github/workflows/_reusable-ci.yml

.github/workflows/full-ci-comment.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,18 @@ on:
44
issue_comment:
55
types: [created]
66

7+
permissions:
8+
contents: read
9+
710
jobs:
811
trigger-check:
912
if: |
1013
github.event.issue.pull_request &&
1114
contains(github.event.comment.body, '/run-full-ci') &&
1215
github.event.comment.author_association == 'OWNER'
1316
runs-on: ubuntu-latest
17+
permissions:
18+
pull-requests: read
1419
outputs:
1520
pr_head_sha: ${{ steps.pr.outputs.pr_head_sha }}
1621
pr_head_repo: ${{ steps.pr.outputs.pr_head_repo }}
@@ -42,6 +47,8 @@ jobs:
4247
comment-result:
4348
needs: [trigger-check, full-ci]
4449
runs-on: ubuntu-latest
50+
permissions:
51+
pull-requests: write
4552
# if the trigger-check job ran (i.e., the comment was valid)
4653
if: needs.trigger-check.result != 'skipped'
4754
steps:

.github/workflows/full-ci-manual.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,14 @@ on:
88
required: true
99
type: string
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
get-pr-info:
1316
runs-on: ubuntu-latest
17+
permissions:
18+
pull-requests: read
1419
outputs:
1520
head_sha: ${{ steps.pr-info.outputs.head_sha }}
1621
head_repo: ${{ steps.pr-info.outputs.head_repo }}
@@ -42,6 +47,8 @@ jobs:
4247
needs: [get-pr-info, full-ci]
4348
if: always()
4449
runs-on: ubuntu-latest
50+
permissions:
51+
pull-requests: write
4552
steps:
4653
- name: Comment on PR
4754
uses: actions/github-script@v7

custom_components/reflex_clerk_api/clerk_provider.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
import authlib.jose.errors as jose_errors
1010
import clerk_backend_api
1111
import reflex as rx
12-
from authlib.jose import JWTClaims, jwt
12+
from authlib.jose import JsonWebKey, JWTClaims, jwt
1313
from reflex.event import EventCallback, EventType, IndividualEventType
1414
from reflex.utils.exceptions import ImmutableStateError
1515

@@ -127,9 +127,10 @@ async def set_clerk_session(self, token: str) -> EventType:
127127
"""
128128
logging.debug("Setting Clerk session")
129129
jwks = await self._get_jwk_keys()
130+
key_set = JsonWebKey.import_key_set({"keys": jwks})
130131
try:
131132
decoded: JWTClaims = jwt.decode(
132-
token, {"keys": jwks}, claims_options=self._claims_options
133+
token, key_set, claims_options=self._claims_options
133134
)
134135
except jose_errors.DecodeError as e:
135136
# E.g. DecodeError -- Something went wrong just getting the JWT

uv.lock

Lines changed: 1349 additions & 948 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)