Skip to content

Commit

Permalink
Merge pull request #24 from os-climate/enable-security-auditing
Browse files Browse the repository at this point in the history
Chore: Tweaking security workflow
  • Loading branch information
ModeSevenIndustrialSolutions authored Nov 21, 2023
2 parents f7a5c08 + a735fa4 commit 7202357
Show file tree
Hide file tree
Showing 12 changed files with 46 additions and 47 deletions.
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/major-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Major release
about: Create a new major release
title: New major release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/minor-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Minor release
about: Create a new minor release
title: New minor release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/patch-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Patch release
about: Create a new patch release
title: New patch release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/dependencies.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
---
name: '⛔️ Update dependencies'
name: "⛔️ Update dependencies"

# yamllint disable-line rule:truthy
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * MON'
- cron: "0 0 * * MON"

jobs:
update-dependencies:
name: 'Update Python modules'
name: "Update Python modules"
runs-on: ubuntu-latest
permissions:
# IMPORTANT: mandatory to raise the PR
Expand All @@ -24,7 +24,7 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: 'Setup PDM for build commands'
- name: "Setup PDM for build commands"
uses: pdm-project/setup-pdm@v3
with:
version: 2.10.0
Expand All @@ -33,8 +33,8 @@ jobs:
uses: pdm-project/update-deps-action@main
with:
token: ${{ secrets.GH_TOKEN }}
commit-message: 'Chore: Update dependencies and pdm.lock'
pr-title: 'Update Python module dependencies'
commit-message: "Chore: Update dependencies and pdm.lock"
pr-title: "Update Python module dependencies"
update-strategy: eager
# Whether to install PDM plugins before update
install-plugins: 'false'
install-plugins: "false"
17 changes: 8 additions & 9 deletions .github/workflows/security.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# For more information see:
# https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: '⛔️ Security auditing'
name: "⛔️ Security auditing"

# yamllint disable-line rule:truthy
on:
Expand All @@ -14,29 +14,28 @@ on:

jobs:
build:
name: 'Audit Python dependencies'
name: "Audit Python dependencies"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ['3.9', '3.10', '3.11']
python-version: ["3.9", "3.10", "3.11"]
steps:
- name: 'Checkout repository'
- name: "Checkout repository"
uses: actions/checkout@v4

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

- name: 'Install dependencies'
- name: "Install dependencies"
run: |
pip install --upgrade pip
python -m pip install -r requirements.txt
python -m pip install .
- name: 'Run: pip-audit'
- name: "Run: pip-audit"
uses: pypa/[email protected]
# with:
# ignore-vulns: |
# PYSEC-2023-163
# ignore-vulns: |
# PYSEC-2023-163
16 changes: 8 additions & 8 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
ci:
autofix_commit_msg: 'Chore: pre-commit autoupdate'
autofix_commit_msg: "Chore: pre-commit autoupdate"
skip:
# pre-commit.ci cannot install WGET, so tomlint must be disabled
- tomllint
Expand All @@ -17,7 +17,7 @@ repos:
- repo: local
hooks:
- id: tomllint
name: 'Script: scripts/tomllint.sh'
name: "Script: scripts/tomllint.sh"
language: script
# pass_filenames: false
files: \^*.toml
Expand Down Expand Up @@ -45,7 +45,7 @@ repos:
- id: detect-private-key
- id: end-of-file-fixer
- id: mixed-line-ending
args: ['--fix=lf']
args: ["--fix=lf"]
- id: name-tests-test
# Do not allow direct push to main/master branches
- id: no-commit-to-branch
Expand All @@ -64,14 +64,14 @@ repos:
hooks:
- id: prettier
args:
['--ignore-unknown', '--no-error-on-unmatched-pattern', '!chart/**']
["--ignore-unknown", "--no-error-on-unmatched-pattern", "!chart/**"]

# Lint: Markdown
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.37.0
hooks:
- id: markdownlint
args: ['--fix']
args: ["--fix"]

# - repo: https://github.com/asottile/pyupgrade
# rev: v3.15.0
Expand All @@ -98,7 +98,7 @@ repos:
rev: 2.1.1
hooks:
- id: bashate
args: ['--ignore=E006']
args: ["--ignore=E006"]

- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.9.0
Expand Down Expand Up @@ -142,7 +142,7 @@ repos:
# additional_dependencies: [black]

- repo: https://github.com/pycqa/flake8
rev: '6.1.0'
rev: "6.1.0"
hooks:
- id: flake8

Expand All @@ -153,6 +153,6 @@ repos:
# - id: codespell

- repo: https://github.com/pre-commit/mirrors-mypy
rev: 'v1.7.0'
rev: "v1.7.0"
hooks:
- id: mypy
14 changes: 7 additions & 7 deletions .prow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ presubmits:
containers:
- image: quay.io/thoth-station/thoth-precommit-py38:v0.12.8
command:
- 'pre-commit'
- 'run'
- '--all-files'
- "pre-commit"
- "run"
- "--all-files"
resources:
requests:
memory: '500Mi'
cpu: '300m'
memory: "500Mi"
cpu: "300m"
limits:
memory: '1Gi'
cpu: '500m'
memory: "1Gi"
cpu: "500m"
4 changes: 2 additions & 2 deletions .thoth.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ runtime_environments:
- name: rhel:8
operating_system:
name: rhel
version: '8'
python_version: '3.8'
version: "8"
python_version: "3.8"
recommendation_type: latest

managers:
Expand Down
2 changes: 1 addition & 1 deletion manifests/.sops.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
creation_rules:
- encrypted_regex: '^(data|stringData)$'
- encrypted_regex: "^(data|stringData)$"
# yamllint disable-line rule:truthy
pgp: >-
'EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E,
Expand Down
6 changes: 3 additions & 3 deletions manifests/cronwf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ metadata:
generateName: <CHANGE_ME>
name: <CHANGE_ME>
spec:
schedule: '0 0 1 * *'
concurrencyPolicy: 'Replace'
schedule: "0 0 1 * *"
concurrencyPolicy: "Replace"
workflowSpec:
volumeClaimTemplates:
- metadata:
name: local-data-storage
spec:
accessModes: ['ReadWriteOnce']
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
Expand Down
2 changes: 1 addition & 1 deletion manifests/postsync-wf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
- metadata:
name: local-data-storage
spec:
accessModes: ['ReadWriteOnce']
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
Expand Down
12 changes: 6 additions & 6 deletions manifests/wftmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,13 @@ spec:
outputs:
artifacts:
- name: rendered_notebook
path: '/mnt/data/notebooks/{{inputs.parameters.notebook}}'
path: "/mnt/data/notebooks/{{inputs.parameters.notebook}}"
archive:
none: {}
s3:
endpoint: s3.upshift.redhat.com:443
bucket: <CHANGE_ME>
key: 'production_data/rendered_notebooks/{{inputs.parameters.notebook}}'
key: "production_data/rendered_notebooks/{{inputs.parameters.notebook}}"
accessKeySecret:
key: access-key-id
name: <SECRET_NAME>
Expand All @@ -57,7 +57,7 @@ spec:
args:
- --config
- .jupyter/jupyter_nbconvert_config.py
- 'notebooks/{{inputs.parameters.notebook}}'
- "notebooks/{{inputs.parameters.notebook}}"
# If using different image than built by:
# https://github.com/AICoE/s2i-custom-notebook
# please change or remote the workingDir settings
Expand All @@ -69,9 +69,9 @@ spec:
- name: LOCAL_DATA_PATH
value: /mnt/data
- name: RUN_IN_AUTOMATION
value: 'true'
value: "true"
- name: NOTEBOOK_NAME
value: '{{inputs.parameters.notebook}}'
value: "{{inputs.parameters.notebook}}"
- name: S3_ENDPOINT_URL
value: https://s3.upshift.redhat.com
- name: S3_PROJECT_KEY
Expand Down Expand Up @@ -99,5 +99,5 @@ spec:
cpu: 500m
memory: 1Gi
limits:
cpu: '2'
cpu: "2"
memory: 4Gi

0 comments on commit 7202357

Please sign in to comment.