-
Notifications
You must be signed in to change notification settings - Fork 25
SP-4167: Improve settings file loading #209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
a93a46d
3d32828
2ff8271
ed44614
e5d4072
7e336b3
ea6e658
88a69db
2a5631d
c083e57
6e19d36
2cc35ba
1c2b3a6
457fa4e
4032746
1fbca05
d1af8ae
bc325b8
1c99c28
e4fb005
c3f9e2d
098efd4
50f2854
2274e90
3629f54
29fd7e6
4c0176a
ba514ca
2c6acd7
0f2ed9e
d6990f9
d69142c
8bf9227
5111381
e083689
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -24,11 +24,11 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/container-publish-ghcr.yml"
echo "== File = $FILE =="
wc -l "$FILE"
echo
echo "== uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== Check referenced line ranges (27,31,45,50,63,70,85,92,107,114) =="
python3 - <<'PY'
import itertools, re, pathlib
p=pathlib.Path(".github/workflows/container-publish-ghcr.yml")
lines=p.read_text().splitlines()
targets=[27,31,45,50,63,70,85,92,107,114]
for t in targets:
i=t-1
if 0<=i<len(lines):
print(f"--- line {t} ---")
for j in range(max(0,i-2), min(len(lines), i+3)):
mark=">>" if j==i else " "
print(f"{mark}{j+1:4d}: {lines[j]}")
PYRepository: scanoss/scanoss.py Length of output: 3045 Pin immutable SHA GitHub Actions in this publish workflow. All 🧰 Tools🪛 zizmor (1.25.2)[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| # Setup and build python package | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
|
|
||
|
|
@@ -42,12 +42,12 @@ jobs: | |
|
|
||
| # Add support for more platforms with QEMU | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| uses: docker/setup-qemu-action@v4 | ||
|
|
||
| # Workaround: https://github.com/docker/build-push-action/issues/461 | ||
| # uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf | ||
| - name: Setup Docker buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| uses: docker/setup-buildx-action@v4 | ||
|
|
||
| # Login against a Docker registry except on PR | ||
| - name: Log into registry ${{ env.REGISTRY }} | ||
|
|
@@ -60,14 +60,14 @@ jobs: | |
| # Extract metadata (tags, labels) for Docker | ||
| - name: Extract Docker metadata - no entrypoint | ||
| id: meta-ne | ||
| uses: docker/metadata-action@v4 | ||
| uses: docker/metadata-action@v6 | ||
| with: | ||
| images: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME_BASE }}" | ||
|
|
||
| # Build and push Docker image with Buildx (don't push on PR) | ||
| - name: Build and push Docker image - Base (no entrypoint) | ||
| id: build-and-push-ne | ||
| uses: docker/build-push-action@v5 | ||
| uses: docker/build-push-action@v7 | ||
| with: | ||
| context: . | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
|
|
@@ -82,14 +82,14 @@ jobs: | |
| # Extract metadata (tags, labels) for Docker | ||
| - name: Extract Docker metadata - jenkins | ||
| id: meta-je | ||
| uses: docker/metadata-action@v4 | ||
| uses: docker/metadata-action@v6 | ||
| with: | ||
| images: "${{ env.REGISTRY }}/${{ env.IMAGE_JENKINS }}" | ||
|
|
||
| # Build and push Docker image with Buildx (don't push on PR) | ||
| - name: Build and push Docker image - Jenkins | ||
| id: build-and-push-je | ||
| uses: docker/build-push-action@v5 | ||
| uses: docker/build-push-action@v7 | ||
| with: | ||
| context: . | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
|
|
@@ -104,14 +104,14 @@ jobs: | |
| # Extract metadata (tags, labels) for Docker | ||
| - name: Extract Docker metadata - entrypoint | ||
| id: meta | ||
| uses: docker/metadata-action@v4 | ||
| uses: docker/metadata-action@v6 | ||
| with: | ||
| images: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" | ||
|
|
||
| # Build and push Docker image with Buildx (don't push on PR) | ||
| - name: Build and push Docker image - EP (entrypoint) | ||
| id: build-and-push | ||
| uses: docker/build-push-action@v5 | ||
| uses: docker/build-push-action@v7 | ||
| with: | ||
| context: . | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,10 +20,10 @@ jobs: | |
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pin 🧰 Tools🪛 zizmor (1.25.2)[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.9.x" | ||
|
|
||
|
|
@@ -36,7 +36,7 @@ jobs: | |
| run: make dist | ||
|
|
||
| - name: Install Test Package | ||
| uses: nick-fields/retry@v3 | ||
| uses: nick-fields/retry@v4 | ||
| with: | ||
| timeout_minutes: 2 | ||
| retry_wait_seconds: 10 | ||
|
|
@@ -103,6 +103,18 @@ jobs: | |
| exit 1 | ||
| fi | ||
|
|
||
| - name: Run Tests HPFM | ||
| run: | | ||
| which scanoss-py | ||
| scanoss-py version | ||
| scanoss-py fh -o hpfm-hashes.json tests | ||
| hash_names=$(cat hpfm-hashes.json | grep 'sim_hash_names') | ||
| echo "Sim Hash: $hash_names" | ||
| if [ "$hash_names" = "" ]; then | ||
| echo "Error: Folder hash failed to generate HPFM hashes. Failing." | ||
| exit 1 | ||
| fi | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| python -m unittest | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,10 +14,10 @@ jobs: | |
| deploy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Release workflow actions must be SHA-pinned.
🧰 Tools🪛 zizmor (1.25.2)[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
|
|
||
|
|
@@ -69,7 +69,7 @@ jobs: | |
|
|
||
| - name: Create Draft Release ${{ github.ref_type }} - ${{ github.ref_name }} | ||
| if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v') | ||
| uses: softprops/action-gh-release@v1 | ||
| uses: softprops/action-gh-release@v3 | ||
| with: | ||
| draft: true | ||
| files: dist/* | ||
|
|
@@ -79,15 +79,15 @@ jobs: | |
| needs: [deploy] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
|
|
||
| - name: Install Remote Package | ||
| uses: nick-fields/retry@v3 | ||
| uses: nick-fields/retry@v4 | ||
| with: | ||
| timeout_minutes: 3 | ||
| retry_wait_seconds: 10 | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,10 +13,10 @@ jobs: | |
| deploy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE"
exit 1
fi
# Show file with line numbers
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== uses: lines with actions/checkout@ or actions/* around likely lines =="
nl -ba "$FILE" | awk '($2 ~ /uses:/) {print}'Repository: scanoss/scanoss.py Length of output: 182 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE"
exit 1
fi
echo "== File first 120 lines (with line numbers via cat -n) =="
cat -n "$FILE" | sed -n '1,120p'
echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== uses: lines with actions/checkout@ or other actions/* (context) =="
rg -n "^\s*uses:\s*actions/" "$FILE" || true
echo
echo "== Exact lines 10-25, 60-75 for the originally referenced locations =="
awk 'NR>=10 && NR<=25 {printf "%6d %s\n", NR, $0} NR>=60 && NR<=75 {printf "%6d %s\n", NR, $0}' "$FILE"Repository: scanoss/scanoss.py Length of output: 5336 Pin GitHub Actions to immutable commit SHAs in TestPyPI workflow (avoid 🧰 Tools🪛 zizmor (1.25.2)[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
|
|
||
|
|
@@ -63,10 +63,10 @@ jobs: | |
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,11 +20,11 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
nl -ba "$FILE" | sed -n '1,120p'Repository: scanoss/scanoss.py Length of output: 106 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
# Print around the referenced lines (23 and 27)
cat -n "$FILE" | sed -n '15,40p'Repository: scanoss/scanoss.py Length of output: 594 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
rg -n '^\s*uses:\s*' "$FILE" || trueRepository: scanoss/scanoss.py Length of output: 141 Pin checkout and SCANOSS action refs to immutable commit SHAs. In 🧰 Tools🪛 zizmor (1.25.2)[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Run SCANOSS Code Scan | ||
| id: scanoss-code-scan-step | ||
| uses: scanoss/code-scan-action@v1 | ||
| uses: scanoss/gha-code-scan@v1 | ||
| with: | ||
| policies: undeclared | ||
| api.url: https://api.scanoss.com/scan/direct | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,12 +16,13 @@ jobs: | |
| version-tagging: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Locate the workflow file
ls -la .github/workflows/version-tag.yml
# Print relevant sections around the cited lines
nl -ba .github/workflows/version-tag.yml | sed -n '1,120p'Repository: scanoss/scanoss.py Length of output: 206 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== Workflow file ==="
ls -la .github/workflows/version-tag.yml
echo "=== Lines 1-120 (with numbers via cat -n) ==="
cat -n .github/workflows/version-tag.yml | sed -n '1,120p'
echo "=== Grep for checkout/setup-python and token/persist-credentials ==="
rg -n "uses:\s*(actions/checkout|actions/setup-python)|token:\s*\$\{\{\s*secrets\.|persist-credentials:" .github/workflows/version-tag.yml || trueRepository: scanoss/scanoss.py Length of output: 1774 🌐 Web query:
💡 Result: The default value for the Citations:
Pin
Also applies to: 24-24 🧰 Tools🪛 zizmor (1.25.2)[warning] 19-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| with: | ||
| fetch-depth: "0" | ||
| token: ${{ secrets.SC_GH_TAG_TOKEN }} | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| persist-credentials: false | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.9.x' | ||
| - name: Determine Tag | ||
|
|
@@ -34,9 +35,12 @@ jobs: | |
| - name: Apply Tag | ||
| if: ${{ inputs.run_for_real }} | ||
| id: taggerApply | ||
| env: | ||
| TAG_TOKEN: ${{ secrets.SC_GH_TAG_TOKEN }} | ||
| run: | | ||
| echo "Applying tag ${{env.package_app_version}} ..." | ||
| git tag "${{env.package_app_version}}" | ||
| echo "Pushing changes..." | ||
| git remote set-url origin "https://x-access-token:${TAG_TOKEN}@github.com/${{ github.repository }}" | ||
| git push --tags | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,4 +22,4 @@ | |
| THE SOFTWARE. | ||
| """ | ||
|
|
||
| __version__ = '1.53.1' | ||
| __version__ = '1.54.0' | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: scanoss/scanoss.py
Length of output: 198
🏁 Script executed:
Repository: scanoss/scanoss.py
Length of output: 5234
Pin GitHub Actions
uses:references to immutable commit SHAsThese steps are tag-pinned (
@v6/@v4/@v7) in.github/workflows/container-local-test.yml(lines 24, 28, 41, 46, 57, 68), which leaves the workflow exposed to upstream tag retargeting. Pin them to full commit SHAs for the same actions.Suggested hardening pattern
🧰 Tools
🪛 zizmor (1.25.2)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents