Update all dependencies#328
Conversation
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #328 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 21 21
Lines 1319 1319
=========================================
Hits 1319 1319
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
4f3dff6 to
f1c00d8
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
f1c00d8 to
b446919
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
b446919 to
d78c836
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
d78c836 to
9aa72bf
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
9aa72bf to
8416621
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
8416621 to
ee65b0c
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
ee65b0c to
a0050d2
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
a0050d2 to
cd32566
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
cd32566 to
8b24702
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
8b24702 to
519444f
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
519444f to
8e32491
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
8e32491 to
8c2c595
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
8c2c595 to
72f53a4
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
4e2ff80 to
09aaaa1
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
09aaaa1 to
f9f9918
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
f9f9918 to
a896cb7
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
c3076c8 to
6a0fc1d
Compare
b87ecd8 to
3032957
Compare
3032957 to
520e4ef
Compare
|
Warning: The mypy type checker has found some errors. See the mypy job for details |
📝 WalkthroughWalkthroughThis PR updates pinned GitHub Actions revisions, Docker base image digests, and the ChangesDependency and Base Image Updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (3)
.github/workflows/docs.yml (1)
13-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd
persist-credentials: falsetoactions/checkout
actions/checkoutleaves the git token in.git/configby default; disabling credential persistence avoids exposing it to later steps.🔧 Suggested hardening
- - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs.yml around lines 13 - 21, The workflow’s actions/checkout step is still persisting the git token in the repository config, so update the checkout configuration to disable credential persistence. Add persist-credentials set to false on the actions/checkout step in the docs workflow so later steps cannot reuse the token.Source: Linters/SAST tools
.github/workflows/mypy.yml (1)
13-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd
persist-credentials: falseto checkoutactions/checkoutleaves the repo token in git config by default; disable it here to avoid unnecessary credential persistence.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/mypy.yml around lines 13 - 27, The checkout step is leaving repository credentials persisted in git config; update the actions/checkout usage in the mypy workflow to disable credential persistence by setting persist-credentials to false. Keep the fix scoped to the existing checkout step so the workflow still checks out the repo without storing the token.Source: Linters/SAST tools
.github/workflows/tox-test.yml (1)
12-118: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winHarden checkout and job token scope Add
persist-credentials: falseto eachactions/checkoutstep and add a least-privilegepermissions:block (for examplecontents: read) to the non-Codecov jobs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/tox-test.yml around lines 12 - 118, The workflow jobs using actions/checkout and tox currently rely on the default token scope and persist checkout credentials unnecessarily. Update each checkout step in the tox-test workflow to disable credential persistence, and add an explicit least-privilege permissions block (for example contents: read) to every non-Codecov job while preserving the existing id-token permission only for the coverage job. Use the existing job names (py39, py312, py313, static, coverage, bandit, bandit-exitzero) and the actions/checkout step as the anchors for the change.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/docs.yml:
- Around line 13-21: The workflow’s actions/checkout step is still persisting
the git token in the repository config, so update the checkout configuration to
disable credential persistence. Add persist-credentials set to false on the
actions/checkout step in the docs workflow so later steps cannot reuse the
token.
In @.github/workflows/mypy.yml:
- Around line 13-27: The checkout step is leaving repository credentials
persisted in git config; update the actions/checkout usage in the mypy workflow
to disable credential persistence by setting persist-credentials to false. Keep
the fix scoped to the existing checkout step so the workflow still checks out
the repo without storing the token.
In @.github/workflows/tox-test.yml:
- Around line 12-118: The workflow jobs using actions/checkout and tox currently
rely on the default token scope and persist checkout credentials unnecessarily.
Update each checkout step in the tox-test workflow to disable credential
persistence, and add an explicit least-privilege permissions block (for example
contents: read) to every non-Codecov job while preserving the existing id-token
permission only for the coverage job. Use the existing job names (py39, py312,
py313, static, coverage, bandit, bandit-exitzero) and the actions/checkout step
as the anchors for the change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: ca0a8719-e1d1-4d5a-aba5-c89e97d54ea5
⛔ Files ignored due to path filters (1)
poetry.lockis excluded by!**/*.lock
📒 Files selected for processing (8)
.github/workflows/docs.yml.github/workflows/mypy.yml.github/workflows/tox-test.ymldev-docker/Dockerfile-appdev-docker/Dockerfile-beatdev-docker/Dockerfile-brokerdev-docker/Dockerfile-workerspyproject.toml
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docs.yml:
- Line 13: Disable persisted checkout credentials on every listed checkout step
by adding persist-credentials: false: .github/workflows/docs.yml lines 13-13;
.github/workflows/mypy.yml lines 13-13; and .github/workflows/tox-test.yml lines
12-12, 28-28, 42-42, 56-56, 72-72, 96-96, and 110-110.
In @.github/workflows/tox-test.yml:
- Line 28: Restrict workflow permissions by adding permissions: contents: read
to the py312 job at .github/workflows/tox-test.yml lines 28-28, the py313 job at
lines 42-42, and the static job at lines 56-56.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 3949fed0-2069-4544-9bd0-fee61d160297
⛔ Files ignored due to path filters (1)
poetry.lockis excluded by!**/*.lock
📒 Files selected for processing (8)
.github/workflows/docs.yml.github/workflows/mypy.yml.github/workflows/tox-test.ymldev-docker/Dockerfile-appdev-docker/Dockerfile-beatdev-docker/Dockerfile-brokerdev-docker/Dockerfile-workerspyproject.toml
🚧 Files skipped from review as they are similar to previous changes (5)
- dev-docker/Dockerfile-app
- pyproject.toml
- dev-docker/Dockerfile-broker
- dev-docker/Dockerfile-beat
- dev-docker/Dockerfile-workers
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable persisted checkout credentials across all workflows.
Every listed checkout step leaves the GitHub token in local Git configuration while repository-controlled commands execute.
.github/workflows/docs.yml#L13-L13: addpersist-credentials: false..github/workflows/mypy.yml#L13-L13: addpersist-credentials: false..github/workflows/tox-test.yml#L12-L12: addpersist-credentials: false..github/workflows/tox-test.yml#L28-L28: addpersist-credentials: false..github/workflows/tox-test.yml#L42-L42: addpersist-credentials: false..github/workflows/tox-test.yml#L56-L56: addpersist-credentials: false..github/workflows/tox-test.yml#L72-L72: addpersist-credentials: false..github/workflows/tox-test.yml#L96-L96: addpersist-credentials: false..github/workflows/tox-test.yml#L110-L110: addpersist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
📍 Affects 3 files
.github/workflows/docs.yml#L13-L13(this comment).github/workflows/mypy.yml#L13-L13.github/workflows/tox-test.yml#L12-L12.github/workflows/tox-test.yml#L28-L28.github/workflows/tox-test.yml#L42-L42.github/workflows/tox-test.yml#L56-L56.github/workflows/tox-test.yml#L72-L72.github/workflows/tox-test.yml#L96-L96.github/workflows/tox-test.yml#L110-L110
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml at line 13, Disable persisted checkout
credentials on every listed checkout step by adding persist-credentials: false:
.github/workflows/docs.yml lines 13-13; .github/workflows/mypy.yml lines 13-13;
and .github/workflows/tox-test.yml lines 12-12, 28-28, 42-42, 56-56, 72-72,
96-96, and 110-110.
Source: Linters/SAST tools
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Restrict permissions for the affected tox jobs.
.github/workflows/tox-test.yml#L28-L28: addpermissions: contents: readto thepy312job..github/workflows/tox-test.yml#L42-L42: addpermissions: contents: readto thepy313job..github/workflows/tox-test.yml#L56-L56: addpermissions: contents: readto thestaticjob.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
📍 Affects 1 file
.github/workflows/tox-test.yml#L28-L28(this comment).github/workflows/tox-test.yml#L42-L42.github/workflows/tox-test.yml#L56-L56
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/tox-test.yml at line 28, Restrict workflow permissions by
adding permissions: contents: read to the py312 job at
.github/workflows/tox-test.yml lines 28-28, the py313 job at lines 42-42, and
the static job at lines 56-56.
Source: Linters/SAST tools
This PR contains the following updates:
v6→v7v8→v9a309ff8→ece7cb0v5→v70.138.1→0.139.07.0.0→7.1.01c054d5→2838d55f54df76→089d74876e04a9→a783c3212.2.0→12.3.0Release Notes
actions/checkout (actions/checkout)
v7.0.0Compare Source
v7Compare Source
actions/github-script (actions/github-script)
v9.0.0Compare Source
New features:
getOctokitfactory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients withgetOctokitfor details and examples.ACTIONS_ORCHESTRATION_IDenvironment variable is automatically appended to the user-agent string for request tracing.Breaking changes:
require('@​actions/github')no longer works in scripts. The upgrade to@actions/githubv9 (ESM-only) meansrequire('@​actions/github')will fail at runtime. If you previously used patterns likeconst { getOctokit } = require('@​actions/github')to create secondary clients, use the new injectedgetOctokitfunction instead — it's available directly in the script context with no imports needed.getOctokitis now an injected function parameter. Scripts that declareconst getOctokit = ...orlet getOctokit = ...will get aSyntaxErrorbecause JavaScript does not allowconst/letredeclaration of function parameters. Use the injectedgetOctokitdirectly, or usevar getOctokit = ...if you need to redeclare it.@actions/githubinternals beyond the standardgithub/octokitclient, you may need to update those references for v9 compatibility.What's Changed
New Contributors
Full Changelog: actions/github-script@v8.0.0...v9.0.0
v9Compare Source
codecov/codecov-action (codecov/codecov-action)
v7.0.0Compare Source
codecovsecurityaccount. We have deleted the account and are usingcodecovsecopswith the original gpg keyWhat's Changed
Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0
v7Compare Source
v6.0.2Compare Source
This is a copy of the
v7.0.0release to make updates easierWhat's Changed
Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2
v6.0.1Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1
v6.0.0Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0
v6Compare Source
fastapi/fastapi (fastapi)
v0.139.0Compare Source
Features
app.frontend(), e.g. for automatic cookie authentication for the frontend. PR #15908 by @tiangolo.Translations
Internal
allow-unsafe-pr-checkout: true. PR #15876 by @YuriiMotov.v0.138.2Compare Source
Refactors
app.frontend()return 404 for methods other thanGETorHEADwith no static file matches. PR #15863 by @tiangolo.Internal
pytest-dev/pytest-cov (pytest-cov)
v7.1.0Compare Source
Fixed total coverage computation to always be consistent, regardless of reporting settings.
Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on
reporting options.
See
#​641 <https://github.com/pytest-dev/pytest-cov/issues/641>_.Improve handling of ResourceWarning from sqlite3.
The plugin adds warning filter for sqlite3
ResourceWarningunclosed database (since 6.2.0).It checks if there is already existing plugin for this message by comparing filter regular expression.
When filter is specified on command line the message is escaped and does not match an expected message.
A check for an escaped regular expression is added to handle this case.
With this fix one can suppress
ResourceWarningfrom sqlite3 from command line::pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...
Various improvements to documentation.
Contributed by Art Pelling in
#​718 <https://github.com/pytest-dev/pytest-cov/pull/718>_ and"vivodi" in
#​738 <https://github.com/pytest-dev/pytest-cov/pull/738>.Also closed
#​736 <https://github.com/pytest-dev/pytest-cov/issues/736>.Fixed some assertions in tests.
Contributed by in Markéta Machová in
#​722 <https://github.com/pytest-dev/pytest-cov/pull/722>_.Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).
Simplistix/testfixtures (testfixtures)
v12.3.0Compare Source
Added :doc:
pydantic <pydantic>support: a :func:comparer <testfixtures.pydantic.compare_basemodel>for :class:
~pydantic.BaseModelis automatically registered, and thetestfixtures[pydantic]extra installs a compatible version.
Added :class:
ReprComparisonand :func:repr_likefor asserting an object's type along with its:func:
repr.Added :class:
StrComparisonand :func:str_likefor asserting an object's type along with its:class:
str.Added :func:
mapping, the typed helper for :class:MappingComparison.:func:
likenow accepts a regular expression, as a string or a compiled :class:re.Pattern,returning a :class:
TextComparisontyped as a :class:str. :class:TextComparisoncan alsonow be built directly from a compiled :class:
re.Pattern.:class:
ShouldRaisenow accepts :func:repr_likeand :func:str_likematchers, so a raisedexception's type and rendering can be checked without constructing the exception instance.
Renamed :class:
!StringComparisonto :class:TextComparison. :class:!StringComparisonremainsas a deprecated alias.
Fixed a bug where comparing two matcher instances directly, such as two :class:
SequenceComparisonobjects, could produce a confusing diff instead of comparing them for equality.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.