Skip to content

chore(tooling): refresh managed config + source credentials from env#511

Merged
wphillipmoore merged 3 commits into
developfrom
feature/510-vergil-config-refresh
Jun 2, 2026
Merged

chore(tooling): refresh managed config + source credentials from env#511
wphillipmoore merged 3 commits into
developfrom
feature/510-vergil-config-refresh

Conversation

@wphillipmoore-vergil-agent

@wphillipmoore-vergil-agent wphillipmoore-vergil-agent Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Pull Request

Summary

  • Refresh managed config to Vergil tooling v2.0.76 / actions v2.0.26 and remove hard-coded test/example credentials flagged by updated CodeQL/Semgrep rulesets

Issue Linkage

Notes

@wphillipmoore
chore(tooling): refresh managed config to current Vergil tooling/actions
2a1db2f 
Items 1/3/6/7 of the fleet refresh (epic mq-rest-admin-project/.github#14):
marketplace -> vergil-claude-plugin; embed canonical CLAUDE.md template
(+ vrg-docker-run -> vrg-container-run); ignore .vergil/; cd.yml release
uses secrets: inherit (fixes CD startup_failure). Hook guard (item 2)
already landed via #509. audit COMPLIANT; vrg-validate passes. Refs #510.
@wphillipmoore
fix(security): source test and example credentials from the environment
ffa0b7b 
Updated CodeQL/Semgrep rulesets flag hard-coded credentials. Remove all
hard-coded password literals from test and example code:

- tests/pymqrest/{test_auth,test_session,test_ensure,test_sync}.py:
  TEST_PASSWORD now reads MQ_TEST_PASSWORD from the env (defaults empty);
  mock transports ignore the value and assertions compare against the
  same constant.
- examples/*.py __main__ blocks: require MQ_ADMIN_PASSWORD from the env
  instead of defaulting to a hard-coded "mqadmin".

vrg-validate (incl. 100% coverage) passes. Refs #510.
@wphillipmoore
fix(security): use verified SSL context in archived extraction scripts
a18b267 
Semgrep python.lang.security.unverified-ssl-context flagged
ssl._create_unverified_context() in the archived MQSC doc-extraction
scripts. They fetch public IBM docs (https://www.ibm.com/docs, valid
certs), so switch to ssl.create_default_context() — verification works
and the insecure context is removed. Scripts are archived/not run in CI;
change is static-clean for the scanner and more correct if re-run.

Refs #510.
@wphillipmoore wphillipmoore merged commit 2014630 into develop Jun 2, 2026
24 checks passed
@wphillipmoore wphillipmoore deleted the feature/510-vergil-config-refresh branch June 2, 2026 11:35
This was referenced Jun 2, 2026
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wphillipmoore