-
Notifications
You must be signed in to change notification settings - Fork 0
3.0 #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.0 #9
Changes from all commits
6e43ad6
f1e2056
1bc6a0f
9d36d2e
5acee70
2b456f0
e24764b
83d3081
fcefadf
7596d51
4648ded
c33d410
21a3c3f
4b98ec9
78f0bda
5371e89
1e5c426
c18250c
51e30b8
86666f8
230e1dd
313bdd5
f0b2bb5
03d0088
c9c3ad2
e0e80d7
aed1f9d
6ace3e1
4a22cea
9b86554
cc6010a
53e5158
3c35a17
b5535f6
2e3d882
8cd1896
9596c89
7ac6e9e
0b7763a
e638707
08485c2
a6586a6
d504772
ba933d3
d62fd09
54f8d08
c0b9355
f5a89eb
c1dff56
48f8513
2d8bf15
5872a10
b77975f
b9b3e6e
b0d195c
0dbde68
b2bc6e3
af8a457
a0235e1
15b14bd
de0bd74
e84fd05
9cde3a1
f536d81
54e116d
a0b1f54
fc1e857
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| name: Build and deploy Diplodoc docs | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - "docs/**" | ||
| - "docs/.yfm" | ||
| - "package.json" | ||
| - "package-lock.json" | ||
| - ".github/workflows/docs.yml" | ||
|
|
||
| pull_request: | ||
| paths: | ||
| - "docs/**" | ||
| - "docs/.yfm" | ||
| - "package.json" | ||
| - "package-lock.json" | ||
| - ".github/workflows/docs.yml" | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pages: write | ||
| id-token: write | ||
|
|
||
| concurrency: | ||
| group: github-pages-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build Diplodoc | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/docs.yml"
echo "== File: $FILE =="
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }
nl -ba "$FILE" | sed -n '1,140p'
echo
echo "== Extract all uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== Check for SHA-pinned format (actions/*@<40-hex>) =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
uses.append((m.group(0).split(':',1)[0].strip(), m.group(1)))
pat = re.compile(r'@([0-9a-f]{40})$')
for full, ref in uses:
if '@' in ref and pat.search(ref):
print("SHA pinned:", ref)
else:
print("NOT SHA pinned:", ref)
PYRepository: m-xim/aiogram-webhook Length of output: 165 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/docs.yml"
echo "== File exists? $FILE =="
[ -f "$FILE" ] && echo "YES" || { echo "NO"; exit 1; }
echo
echo "== Show lines 1-140 (numbered) =="
cat -n "$FILE" | sed -n '1,140p'
echo
echo "== uses: entries =="
rg -n "^[[:space:]]*uses:[[:space:]]*" "$FILE" || true
echo
echo "== SHA-pinning check for actions/*@<40-hex> =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
uses.append(m.group(1).strip())
sha_pat = re.compile(r'@([0-9a-f]{40})$')
for ref in uses:
m = sha_pat.search(ref)
if m:
print(f"SHA pinned: {ref}")
else:
print(f"NOT SHA pinned: {ref}")
PY
echo
echo "== Show referenced lines (40,45,53,69,90) =="
for L in 40 45 53 69 90; do
echo "--- $L ---"
sed -n "${L}p" "$FILE" | cat -n
doneRepository: m-xim/aiogram-webhook Length of output: 3577 Pin GitHub Actions by commit SHA in
🧰 Tools🪛 zizmor (1.25.2)[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| fetch-depth: 0 | ||
|
Comment on lines
+39
to
+42
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Disable persisted checkout credentials in the build job. Use Suggested fix - name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
+ persist-credentials: false🧰 Tools🪛 zizmor (1.25.2)[warning] 39-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 24 | ||
|
|
||
| - name: Install project dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Configure GitHub Pages | ||
| uses: actions/configure-pages@v5 | ||
|
|
||
| - name: Build docs | ||
| env: | ||
| GITHUB_OWNER: ${{ github.repository_owner }} | ||
| GITHUB_REPO: ${{ github.event.repository.name }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_BASE_URL: https://api.github.com | ||
| VCS_CONNECTOR_TYPE: github | ||
| VCS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: npm run build | ||
|
|
||
| - name: Disable Jekyll | ||
| run: touch ./docs-html/.nojekyll | ||
|
|
||
| - name: Upload GitHub Pages artifact | ||
| uses: actions/upload-pages-artifact@v3 | ||
| with: | ||
| path: "./docs-html" | ||
|
|
||
| deploy: | ||
| name: Deploy to GitHub Pages | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
|
|
||
| permissions: | ||
| pages: write | ||
| id-token: write | ||
|
|
||
| environment: | ||
| name: github-pages | ||
| url: ${{ steps.deployment.outputs.page_url }} | ||
|
|
||
| steps: | ||
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@v4 | ||
|
m-xim marked this conversation as resolved.
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,54 +1,54 @@ | ||||||||||||||||||||||||
| name: Release & Publish | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| on: workflow_dispatch | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||
| release: | ||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||
| concurrency: | ||||||||||||||||||||||||
| group: ${{ github.workflow }}-release-${{ github.ref_name }} | ||||||||||||||||||||||||
| cancel-in-progress: true | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||
| id-token: write | ||||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||
| - name: 🛎️ Checkout repository | ||||||||||||||||||||||||
| uses: actions/checkout@v6 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| ref: ${{ github.ref_name }} | ||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 🏷️ Semantic Version Release | ||||||||||||||||||||||||
| id: release | ||||||||||||||||||||||||
| uses: python-semantic-release/python-semantic-release@v10.5.3 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||
| git_committer_name: "github-actions" | ||||||||||||||||||||||||
| git_committer_email: "actions@users.noreply.github.com" | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 🐍 Setup uv & venv | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| uses: astral-sh/setup-uv@v7 | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 📦 Update uv.lock | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| run: uv lock | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 🏗️ Build package (sdist & wheel) | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| run: uv build --no-sources | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 🚀 Publish | Upload to GitHub Release Assets | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| uses: python-semantic-release/publish-action@v10.5.3 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||
| tag: ${{ steps.release.outputs.tag }} | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - name: 🐍 Publish to PyPI | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||
| UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }} | ||||||||||||||||||||||||
| run: uv publish | ||||||||||||||||||||||||
| name: Release & Publish | ||||||||||||||||||||||||
|
coderabbitai[bot] marked this conversation as resolved.
|
||||||||||||||||||||||||
| on: workflow_dispatch | ||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||
| release: | ||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||
| concurrency: | ||||||||||||||||||||||||
| group: ${{ github.workflow }}-release-${{ github.ref_name }} | ||||||||||||||||||||||||
| cancel-in-progress: true | ||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||
| id-token: write | ||||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||
| - name: 🛎️ Checkout repository | ||||||||||||||||||||||||
| uses: actions/checkout@v6 | ||||||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/release.yml"
echo "== File = $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing: $FILE"
exit 1
fi
nl -ba "$FILE" | sed -n '1,200p'
echo
echo "== uses: entries =="
rg -n --no-heading "uses:\s*[^@]+@(.+)$" "$FILE" || true
echo
echo "== uses: entries with non-SHA refs =="
# Heuristic: commit SHAs are typically 40 hex chars (or shorter if tags), so flag refs that aren't 40-hex.
rg -n --no-heading "uses:\s*[^@]+@([0-9a-fA-F]{40})\b" "$FILE" || true
# Print all uses again with ref values
rg -n --no-heading "uses:\s*([^@]+)@(.+)$" "$FILE" | sed -E 's/uses:[[:space:]]*([^@]+)@(.+)/\1@\2/' || trueRepository: m-xim/aiogram-webhook Length of output: 170 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/release.yml"
echo "== Check file exists =="
ls -la "$FILE" || { echo "Missing: $FILE"; exit 1; }
echo
echo "== File head (with line numbers) =="
cat -n "$FILE" | sed -n '1,200p'
echo
echo "== All uses: entries =="
rg -n --no-heading '^\s*uses:\s*[^@]+@(.+)$' "$FILE" || true
echo
echo "== uses: entries with refs that look like commit SHAs (40 hex) =="
rg -n --no-heading '^\s*uses:\s*[^@]+@[0-9a-fA-F]{40}\b' "$FILE" || trueRepository: m-xim/aiogram-webhook Length of output: 2530 Pin workflow actions to immutable SHAs. The workflow uses version tags (not commit SHAs) for multiple actions—e.g., 🧰 Tools🪛 zizmor (1.25.2)[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| ref: ${{ github.ref_name }} | ||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||
|
Comment on lines
+17
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Harden checkout by disabling credential persistence. Set Suggested fix - name: 🛎️ Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.ref_name }}
fetch-depth: 0
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 17-21: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||
| - name: 🏷️ Semantic Version Release | ||||||||||||||||||||||||
| id: release | ||||||||||||||||||||||||
| uses: python-semantic-release/python-semantic-release@v10.5.3 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||
| git_committer_name: "github-actions" | ||||||||||||||||||||||||
| git_committer_email: "actions@users.noreply.github.com" | ||||||||||||||||||||||||
| - name: 🐍 Setup uv & venv | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| uses: astral-sh/setup-uv@v8.1.0 | ||||||||||||||||||||||||
| - name: 📦 Update uv.lock | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| run: uv lock | ||||||||||||||||||||||||
| - name: 🏗️ Build package (sdist & wheel) | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| run: uv build --no-sources | ||||||||||||||||||||||||
| - name: 🚀 Publish | Upload to GitHub Release Assets | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| uses: python-semantic-release/publish-action@v10.5.3 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||
| tag: ${{ steps.release.outputs.tag }} | ||||||||||||||||||||||||
| - name: 🐍 Publish to PyPI | ||||||||||||||||||||||||
| if: steps.release.outputs.released == 'true' | ||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||
| UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }} | ||||||||||||||||||||||||
| run: uv publish | ||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,42 +1,47 @@ | ||
| name: Tests | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, develop] | ||
| pull_request: | ||
| branches: [main, develop] | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| lint-and-test: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] | ||
| fail-fast: false | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Install uv and set the python version | ||
| uses: astral-sh/setup-uv@v7 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install the project | ||
| run: uv sync --all-extras | ||
|
|
||
| - name: Run Ruff | ||
| run: uv run ruff check --output-format=github . | ||
|
|
||
| - name: Run Ty (type checker) | ||
| run: uv run ty check --output-format=github . | ||
|
|
||
| - name: Run pytest | ||
| run: uv run pytest | ||
| name: Tests | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, develop] | ||
| pull_request: | ||
| branches: [main, develop] | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| lint-and-test: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] | ||
| fail-fast: false | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Install uv and set the python version | ||
| uses: astral-sh/setup-uv@v8.1.0 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install the project | ||
| run: uv sync --all-extras | ||
|
|
||
| - name: Run Ruff | ||
| run: uv run ruff check --output-format=github . | ||
|
|
||
| - name: Run Ty (type checker) | ||
| run: uv run ty check --output-format=github . | ||
|
|
||
| - name: Run pytest | ||
| run: uv run pytest --cov --cov-branch --cov-report=xml | ||
|
|
||
| - name: Upload results to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
| with: | ||
| token: ${{ secrets.CODECOV_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reduce workflow-level token scope to least privilege.
pages: writeandid-token: writeat workflow scope are broader than necessary; onlydeployneeds them.Suggested fix
🧰 Tools
🪛 zizmor (1.25.2)
[error] 26-26: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level
(excessive-permissions)
[error] 27-27: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level
(excessive-permissions)
🤖 Prompt for AI Agents
Source: Linters/SAST tools