Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable persisted checkout credentials across all workflows.

Every listed checkout step leaves the GitHub token in local Git configuration while repository-controlled commands execute.

  • .github/workflows/docs.yml#L13-L13: add persist-credentials: false.
  • .github/workflows/mypy.yml#L13-L13: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L12-L12: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L28-L28: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L42-L42: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L56-L56: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L72-L72: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L96-L96: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L110-L110: add persist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

📍 Affects 3 files
  • .github/workflows/docs.yml#L13-L13 (this comment)
  • .github/workflows/mypy.yml#L13-L13
  • .github/workflows/tox-test.yml#L12-L12
  • .github/workflows/tox-test.yml#L28-L28
  • .github/workflows/tox-test.yml#L42-L42
  • .github/workflows/tox-test.yml#L56-L56
  • .github/workflows/tox-test.yml#L72-L72
  • .github/workflows/tox-test.yml#L96-L96
  • .github/workflows/tox-test.yml#L110-L110
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 13, Disable persisted checkout
credentials on every listed checkout step by adding persist-credentials: false:
.github/workflows/docs.yml lines 13-13; .github/workflows/mypy.yml lines 13-13;
and .github/workflows/tox-test.yml lines 12-12, 28-28, 42-42, 56-56, 72-72,
96-96, and 110-110.

Source: Linters/SAST tools

- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e docs
- name: Publish
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/mypy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,21 @@ jobs:
mypy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
id: mypy-run
run: tox -e mypy
continue-on-error: true
- name: Report if mypy has gone wrong.
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
github.rest.issues.createComment({
Expand Down
44 changes: 22 additions & 22 deletions .github/workflows/tox-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,81 +9,81 @@ jobs:
py39:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.9"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
with:
version: 2.2.1
- name: Run Tox
run: tox -e py39
py312:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Restrict permissions for the affected tox jobs.

  • .github/workflows/tox-test.yml#L28-L28: add permissions: contents: read to the py312 job.
  • .github/workflows/tox-test.yml#L42-L42: add permissions: contents: read to the py313 job.
  • .github/workflows/tox-test.yml#L56-L56: add permissions: contents: read to the static job.
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

📍 Affects 1 file
  • .github/workflows/tox-test.yml#L28-L28 (this comment)
  • .github/workflows/tox-test.yml#L42-L42
  • .github/workflows/tox-test.yml#L56-L56
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tox-test.yml at line 28, Restrict workflow permissions by
adding permissions: contents: read to the py312 job at
.github/workflows/tox-test.yml lines 28-28, the py313 job at lines 42-42, and
the static job at lines 56-56.

Source: Linters/SAST tools

- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e py312
py313:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e py313
static:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e static
coverage:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e cov
- name: Install pytest cov
run: poetry run python -m pip install pytest-cov
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7
with:
use_oidc: true
flags: unit-tests
Expand All @@ -93,28 +93,28 @@ jobs:
bandit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e bandit
bandit-exitzero:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install Tox
run: pip install tox
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1
- name: Run Tox
run: tox -e bandit-exitzero
2 changes: 1 addition & 1 deletion dev-docker/Dockerfile-app
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:f54df76a8d799877f5c95ac4dacb818137534d6d69e38556f08e8bcb417fc083
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:089d74899673657f24e2f5ebd843322ff344065ab711a932be40d4d3fb83a88d

LABEL maintainer="Red Hat - EXD"

Expand Down
2 changes: 1 addition & 1 deletion dev-docker/Dockerfile-beat
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:f54df76a8d799877f5c95ac4dacb818137534d6d69e38556f08e8bcb417fc083
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:089d74899673657f24e2f5ebd843322ff344065ab711a932be40d4d3fb83a88d

LABEL maintainer="Red Hat - EXD"

Expand Down
2 changes: 1 addition & 1 deletion dev-docker/Dockerfile-broker
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM redis@sha256:1c054d54ecd1597bba52f4304bca5afbc5565ebe614c5b3d7dc5b7f8a0cd768d
FROM redis@sha256:2838d5524559494f6f1cd66e97e76b200d64a633a8614200620755ed395daf32

EXPOSE 6379

Expand Down
2 changes: 1 addition & 1 deletion dev-docker/Dockerfile-workers
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:f54df76a8d799877f5c95ac4dacb818137534d6d69e38556f08e8bcb417fc083
FROM registry.access.redhat.com/ubi9/python-39:latest@sha256:089d74899673657f24e2f5ebd843322ff344065ab711a932be40d4d3fb83a88d

LABEL maintainer="Red Hat - EXD"

Expand Down
21 changes: 11 additions & 10 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ black = "25.11.0"
pre-commit = "<4"
mypy = "1.19.1"
pylint = "==3.3.9"
pytest-cov = "7.0.0"
pytest-cov = "7.1.0"
uvicorn = {version = "0.39.0", extras = ["standard"]}

[tool.poetry.group.docs]
Expand Down