diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 393ddfc2..7ae21735 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -20,7 +20,7 @@ jobs: # only use hashes to pick the action to execute (instead of tags or branches). # For more details read: # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # 6.0.1 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" dot: true diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index f9600016..deaf4c29 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -2,12 +2,10 @@ ## Summary - +This release improves workflows security, adds a black migration workflow, and fixes failed migrations from version v0.16.0. ## Upgrading - - ### Cookiecutter template All upgrading should be done via the migration script or regenerating the templates. @@ -18,20 +16,16 @@ curl -sSLf https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config But you might still need to adapt your code: - - ## New Features - - ### Cookiecutter template - Add a `black-migration.yaml` workflow that automatically reformats code when Dependabot upgrades `black`. ## Bug Fixes - - ### Cookiecutter template - Fix migration of CI workflow matrices that used `arch`/`os` dimensions with values different from the default template. The v0.16.0 migration relied on exact string matching, so projects with customized matrix items (for example `arch: [amd64]`, `os: [ubuntu-24.04]`) could be left only partially migrated. The new migration step rebuilds the `platform` entries from the existing `arch`/`os` values and only rewrites `runs-on` when it still points to the old matrix keys. +- Improve workflows security: tighten permissions, avoid potential shell injection, run Python in isolated mode, pin all dependencies using the SHA hash. +- The unused cross-arch QEMU-based testing infrastructure has been removed. The `.github/containers/nox-cross-arch/` and `.github/containers/test-installation/` directories, as well as the "Cross-Arch Testing" section in `CONTRIBUTING.md`. diff --git a/cookiecutter/migrate.py b/cookiecutter/migrate.py index 2e276b93..33d09e07 100644 --- a/cookiecutter/migrate.py +++ b/cookiecutter/migrate.py @@ -109,7 +109,7 @@ - name: Migrate uses: frequenz-floss/gh-action-dependabot-migrate@""" # Broken just to avoid flake8 maximum line length check - """b389f72f9282346920150a67495efbae450ac07b # v1.1.0" + """b389f72f9282346920150a67495efbae450ac07b # v1.1.0 with: migration-script: | import os diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/pyproject.toml b/cookiecutter/{{cookiecutter.github_repo_name}}/pyproject.toml index e2b98382..036b8cb7 100644 --- a/cookiecutter/{{cookiecutter.github_repo_name}}/pyproject.toml +++ b/cookiecutter/{{cookiecutter.github_repo_name}}/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0", + "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0", {%- if cookiecutter.type == "api" %} # We need to pin the protobuf, grpcio and grpcio-tools dependencies to make # sure the code is generated using the minimum supported versions, as older @@ -104,7 +104,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0", + "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -117,7 +117,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[{{cookiecutter.type}}] == 0.16.0", + "frequenz-repo-config[{{cookiecutter.type}}] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -127,7 +127,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", {%- if cookiecutter.type != "api" %} "pytest-mock == 3.14.0", "pytest-asyncio == 1.1.0", diff --git a/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/pyproject.toml b/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/pyproject.toml index d487fb2b..c7da5a46 100644 --- a/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/pyproject.toml +++ b/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[actor] == 0.16.0", + "frequenz-repo-config[actor] == 0.17.0", ] build-backend = "setuptools.build_meta" @@ -61,7 +61,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[actor] == 0.16.0", + "frequenz-repo-config[actor] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -71,7 +71,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[actor] == 0.16.0", + "frequenz-repo-config[actor] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -81,7 +81,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", "pytest-mock == 3.14.0", "pytest-asyncio == 1.1.0", "async-solipsism == 0.8", diff --git a/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/pyproject.toml b/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/pyproject.toml index 8bff8179..37be5574 100644 --- a/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/pyproject.toml +++ b/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[api] == 0.16.0", + "frequenz-repo-config[api] == 0.17.0", # We need to pin the protobuf, grpcio and grpcio-tools dependencies to make # sure the code is generated using the minimum supported versions, as older # versions can't work with code that was generated with newer versions. @@ -72,7 +72,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[api] == 0.16.0", + "frequenz-repo-config[api] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -83,7 +83,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[api] == 0.16.0", + "frequenz-repo-config[api] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -93,7 +93,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", ] dev = [ "frequenz-api-test[dev-mkdocs,dev-flake8,dev-formatting,dev-mkdocs,dev-mypy,dev-noxfile,dev-pylint,dev-pytest]", diff --git a/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/pyproject.toml b/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/pyproject.toml index 9c89d486..b85dd3d8 100644 --- a/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/pyproject.toml +++ b/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[app] == 0.16.0", + "frequenz-repo-config[app] == 0.17.0", ] build-backend = "setuptools.build_meta" @@ -60,7 +60,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[app] == 0.16.0", + "frequenz-repo-config[app] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -70,7 +70,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[app] == 0.16.0", + "frequenz-repo-config[app] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -80,7 +80,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", "pytest-mock == 3.14.0", "pytest-asyncio == 1.1.0", "async-solipsism == 0.8", diff --git a/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/pyproject.toml b/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/pyproject.toml index 973421cc..dcb5fe33 100644 --- a/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/pyproject.toml +++ b/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[lib] == 0.16.0", + "frequenz-repo-config[lib] == 0.17.0", ] build-backend = "setuptools.build_meta" @@ -57,7 +57,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[lib] == 0.16.0", + "frequenz-repo-config[lib] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -67,7 +67,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[lib] == 0.16.0", + "frequenz-repo-config[lib] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -77,7 +77,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", "pytest-mock == 3.14.0", "pytest-asyncio == 1.1.0", "async-solipsism == 0.8", diff --git a/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/pyproject.toml b/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/pyproject.toml index af78dadd..541889b5 100644 --- a/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/pyproject.toml +++ b/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 80.9.0", "setuptools_scm[toml] == 8.1.0", - "frequenz-repo-config[model] == 0.16.0", + "frequenz-repo-config[model] == 0.17.0", ] build-backend = "setuptools.build_meta" @@ -61,7 +61,7 @@ dev-mkdocs = [ "mkdocs-material == 9.6.18", "mkdocstrings[python] == 1.0.0", "mkdocstrings-python == 2.0.1", - "frequenz-repo-config[model] == 0.16.0", + "frequenz-repo-config[model] == 0.17.0", ] dev-mypy = [ "mypy == 1.9.0", @@ -71,7 +71,7 @@ dev-mypy = [ ] dev-noxfile = [ "nox == 2025.5.1", - "frequenz-repo-config[model] == 0.16.0", + "frequenz-repo-config[model] == 0.17.0", ] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples @@ -81,7 +81,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 8.4.1", "pylint == 3.3.8", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", "pytest-mock == 3.14.0", "pytest-asyncio == 1.1.0", "async-solipsism == 0.8",