Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chore: Tweaking security workflow #24

Merged
merged 2 commits into from
Nov 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/major-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Major release
about: Create a new major release
title: New major release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/minor-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Minor release
about: Create a new minor release
title: New minor release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/patch-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Patch release
about: Create a new patch release
title: New patch release
assignees: 'sesheta'
assignees: "sesheta"
labels: bot
---

Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/dependencies.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
---
name: '⛔️ Update dependencies'
name: "⛔️ Update dependencies"

# yamllint disable-line rule:truthy
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * MON'
- cron: "0 0 * * MON"

jobs:
update-dependencies:
name: 'Update Python modules'
name: "Update Python modules"
runs-on: ubuntu-latest
permissions:
# IMPORTANT: mandatory to raise the PR
Expand All @@ -24,7 +24,7 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: 'Setup PDM for build commands'
- name: "Setup PDM for build commands"
uses: pdm-project/setup-pdm@v3
with:
version: 2.10.0
Expand All @@ -33,8 +33,8 @@ jobs:
uses: pdm-project/update-deps-action@main
with:
token: ${{ secrets.GH_TOKEN }}
commit-message: 'Chore: Update dependencies and pdm.lock'
pr-title: 'Update Python module dependencies'
commit-message: "Chore: Update dependencies and pdm.lock"
pr-title: "Update Python module dependencies"
update-strategy: eager
# Whether to install PDM plugins before update
install-plugins: 'false'
install-plugins: "false"
17 changes: 8 additions & 9 deletions .github/workflows/security.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# For more information see:
# https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: '⛔️ Security auditing'
name: "⛔️ Security auditing"

# yamllint disable-line rule:truthy
on:
Expand All @@ -14,29 +14,28 @@ on:

jobs:
build:
name: 'Audit Python dependencies'
name: "Audit Python dependencies"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ['3.9', '3.10', '3.11']
python-version: ["3.9", "3.10", "3.11"]
steps:
- name: 'Checkout repository'
- name: "Checkout repository"
uses: actions/checkout@v4

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

- name: 'Install dependencies'
- name: "Install dependencies"
run: |
pip install --upgrade pip
python -m pip install -r requirements.txt
python -m pip install .

- name: 'Run: pip-audit'
- name: "Run: pip-audit"
uses: pypa/[email protected]
# with:
# ignore-vulns: |
# PYSEC-2023-163
# ignore-vulns: |
# PYSEC-2023-163
16 changes: 8 additions & 8 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
ci:
autofix_commit_msg: 'Chore: pre-commit autoupdate'
autofix_commit_msg: "Chore: pre-commit autoupdate"
skip:
# pre-commit.ci cannot install WGET, so tomlint must be disabled
- tomllint
Expand All @@ -17,7 +17,7 @@ repos:
- repo: local
hooks:
- id: tomllint
name: 'Script: scripts/tomllint.sh'
name: "Script: scripts/tomllint.sh"
language: script
# pass_filenames: false
files: \^*.toml
Expand Down Expand Up @@ -45,7 +45,7 @@ repos:
- id: detect-private-key
- id: end-of-file-fixer
- id: mixed-line-ending
args: ['--fix=lf']
args: ["--fix=lf"]
- id: name-tests-test
# Do not allow direct push to main/master branches
- id: no-commit-to-branch
Expand All @@ -64,14 +64,14 @@ repos:
hooks:
- id: prettier
args:
['--ignore-unknown', '--no-error-on-unmatched-pattern', '!chart/**']
["--ignore-unknown", "--no-error-on-unmatched-pattern", "!chart/**"]

# Lint: Markdown
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.37.0
hooks:
- id: markdownlint
args: ['--fix']
args: ["--fix"]

# - repo: https://github.com/asottile/pyupgrade
# rev: v3.15.0
Expand All @@ -98,7 +98,7 @@ repos:
rev: 2.1.1
hooks:
- id: bashate
args: ['--ignore=E006']
args: ["--ignore=E006"]

- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.9.0
Expand Down Expand Up @@ -142,7 +142,7 @@ repos:
# additional_dependencies: [black]

- repo: https://github.com/pycqa/flake8
rev: '6.1.0'
rev: "6.1.0"
hooks:
- id: flake8

Expand All @@ -153,6 +153,6 @@ repos:
# - id: codespell

- repo: https://github.com/pre-commit/mirrors-mypy
rev: 'v1.7.0'
rev: "v1.7.0"
hooks:
- id: mypy
14 changes: 7 additions & 7 deletions .prow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ presubmits:
containers:
- image: quay.io/thoth-station/thoth-precommit-py38:v0.12.8
command:
- 'pre-commit'
- 'run'
- '--all-files'
- "pre-commit"
- "run"
- "--all-files"
resources:
requests:
memory: '500Mi'
cpu: '300m'
memory: "500Mi"
cpu: "300m"
limits:
memory: '1Gi'
cpu: '500m'
memory: "1Gi"
cpu: "500m"
4 changes: 2 additions & 2 deletions .thoth.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ runtime_environments:
- name: rhel:8
operating_system:
name: rhel
version: '8'
python_version: '3.8'
version: "8"
python_version: "3.8"
recommendation_type: latest

managers:
Expand Down
2 changes: 1 addition & 1 deletion manifests/.sops.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
creation_rules:
- encrypted_regex: '^(data|stringData)$'
- encrypted_regex: "^(data|stringData)$"
# yamllint disable-line rule:truthy
pgp: >-
'EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E,
Expand Down
6 changes: 3 additions & 3 deletions manifests/cronwf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ metadata:
generateName: <CHANGE_ME>
name: <CHANGE_ME>
spec:
schedule: '0 0 1 * *'
concurrencyPolicy: 'Replace'
schedule: "0 0 1 * *"
concurrencyPolicy: "Replace"
workflowSpec:
volumeClaimTemplates:
- metadata:
name: local-data-storage
spec:
accessModes: ['ReadWriteOnce']
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
Expand Down
2 changes: 1 addition & 1 deletion manifests/postsync-wf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
- metadata:
name: local-data-storage
spec:
accessModes: ['ReadWriteOnce']
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
Expand Down
12 changes: 6 additions & 6 deletions manifests/wftmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,13 @@ spec:
outputs:
artifacts:
- name: rendered_notebook
path: '/mnt/data/notebooks/{{inputs.parameters.notebook}}'
path: "/mnt/data/notebooks/{{inputs.parameters.notebook}}"
archive:
none: {}
s3:
endpoint: s3.upshift.redhat.com:443
bucket: <CHANGE_ME>
key: 'production_data/rendered_notebooks/{{inputs.parameters.notebook}}'
key: "production_data/rendered_notebooks/{{inputs.parameters.notebook}}"
accessKeySecret:
key: access-key-id
name: <SECRET_NAME>
Expand All @@ -57,7 +57,7 @@ spec:
args:
- --config
- .jupyter/jupyter_nbconvert_config.py
- 'notebooks/{{inputs.parameters.notebook}}'
- "notebooks/{{inputs.parameters.notebook}}"
# If using different image than built by:
# https://github.com/AICoE/s2i-custom-notebook
# please change or remote the workingDir settings
Expand All @@ -69,9 +69,9 @@ spec:
- name: LOCAL_DATA_PATH
value: /mnt/data
- name: RUN_IN_AUTOMATION
value: 'true'
value: "true"
- name: NOTEBOOK_NAME
value: '{{inputs.parameters.notebook}}'
value: "{{inputs.parameters.notebook}}"
- name: S3_ENDPOINT_URL
value: https://s3.upshift.redhat.com
- name: S3_PROJECT_KEY
Expand Down Expand Up @@ -99,5 +99,5 @@ spec:
cpu: 500m
memory: 1Gi
limits:
cpu: '2'
cpu: "2"
memory: 4Gi
Loading