Skip to content

Commit 51d237a

Browse files
author
jgstern-agent
committed
fix(release.yml): match ci.yml's pip-audit CVE-ignore for pytest 9.0.2
`ci.yml:287` runs `pip-audit --skip-editable --ignore-vuln CVE-2025-71176` with a comment block explaining the carve-out. `release.yml:103` was running `pip-audit --skip-editable` only — so every release attempt failed the security gate on the identical known advisory that CI has already decided to accept. On the 2.7.0 release, this was the failure: `release.yml`'s `security-audit` step reported Found 1 known vulnerability in 1 package Name Version ID Fix Versions ------ ------- -------------- ------------ pytest 9.0.2 CVE-2025-71176 9.0.3 after the `v2.7.0` tag had already been pushed and the release PR (#3276) had already merged to main. Fix: copy the exact `--ignore-vuln CVE-2025-71176` flag and the full rationale comment from `ci.yml:276–287` into `release.yml:102–115`. The comment documents: CVE is a /tmp/pytest-of-{user} TOCTOU on UNIX; fix is pytest 9.0.3, transitively blocked by syrupy 4.8.0 (hard-pinned by pytest-textual-snapshot 1.1.0); attack boundary is local CI/dev only (pytest is a dev dep, never installed on end-user systems); single-tenant self-hosted runner means practical exploitability is ~0; exit plan is upstream PR Textualize/pytest-textual-snapshot#24. When that merges and a new pytest-textual-snapshot release ships, both ci.yml and release.yml drop the ignore together. Rerun path after merge: workflow-dispatch `release.yml` on `main` with input `version=2.7.0`. The `v2.7.0` tag already points at main's current HEAD (the release PR merge commit `a0f3ac12e`), so a rerun publishes the same release artifacts that the tag-push trigger would have published if the audit had passed the first time. Signed-off-by: jgstern-agent <josh-agent@iterabloom.com>
1 parent 2b71621 commit 51d237a

3 files changed

Lines changed: 21 additions & 3 deletions

File tree

.ci/affected-tests.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
# Test selection manifest
2-
# Generated by smart-test at 2026-04-21T21:25:47-04:00
2+
# Generated by smart-test at 2026-04-21T22:29:13-04:00
33
# Mode: targeted
44
# Baseline: aa6d1c607b0f4ed471aff37c924a45ac8bcd4a77
55
# Reason: version-only __init__.py changes
6-
# Changed files: 22
6+
# Changed files: 23
77
# Changed source files: 6
88
# Selected tests: 6
99
#

.github/workflows/release.yml

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,19 @@ jobs:
100100
pip install pip-audit bandit pip-licenses
101101
102102
- name: Vulnerability scan (pip-audit)
103-
run: pip-audit --skip-editable
103+
run: |
104+
# CVE-2025-71176: pytest /tmp/pytest-of-{user} TOCTOU on UNIX.
105+
# Fix is pytest 9.0.3, but we are pinned below 9.0.0 transitively by
106+
# syrupy 4.8.0 (hard-pinned by pytest-textual-snapshot 1.1.0).
107+
# Impact assessment: local attack boundary only, reachable solely in
108+
# CI/dev environments — pytest is a dev-only dep, never installed on
109+
# end-user systems running hypergumbo. Our self-hosted runners are
110+
# single-tenant, so practical exploitability is ~0.
111+
# Exit plan: upstream PR to relax the syrupy pin is tracked at
112+
# https://github.com/Textualize/pytest-textual-snapshot/pull/24
113+
# When that merges and a new pytest-textual-snapshot release ships,
114+
# bump pytest to 9.0.3+ and drop this ignore (same in ci.yml).
115+
pip-audit --skip-editable --ignore-vuln CVE-2025-71176
104116
105117
- name: Security linting (Bandit)
106118
run: |

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,12 @@ This changelog tracks the **tool version** (package releases). The **schema vers
1010

1111
## [Unreleased]
1212

13+
### Fixed
14+
15+
#### CI / build system
16+
17+
- **`release.yml` security-audit: `pip-audit` CVE-ignore brought in line with `ci.yml`**: the pre-publish vulnerability scan ran `pip-audit --skip-editable` without the `--ignore-vuln CVE-2025-71176` flag that `ci.yml` already uses, so every release attempt failed the security gate on the known pytest 9.0.2 TOCTOU advisory. Same rationale (dev-only transitive pin from `syrupy 4.8.0` via `pytest-textual-snapshot 1.1.0`, local attack boundary only, single-tenant self-hosted runner) and same exit plan (drop the ignore in both workflows when `Textualize/pytest-textual-snapshot#24` ships). Surfaced when the initial `v2.7.0` tag's `release.yml` run was rejected by the audit step after the release PR had already merged.
18+
1319
## [2.7.0] - 2026-04-21
1420

1521
### Added

0 commit comments

Comments
 (0)