From 7f1ca645b4ae83012c96f59ba5bde42de795359a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 04:48:29 +0000 Subject: [PATCH 1/4] chore(deps): bump the dependencies group with 3 updates Bumps the dependencies group with 3 updates: [github/ospo-reusable-workflows](https://github.com/github/ospo-reusable-workflows), [super-linter/super-linter](https://github.com/super-linter/super-linter) and [github/codeql-action](https://github.com/github/codeql-action). Updates `github/ospo-reusable-workflows` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/github/ospo-reusable-workflows/releases) - [Changelog](https://github.com/github/ospo-reusable-workflows/blob/main/docs/release-image.md) - [Commits](https://github.com/github/ospo-reusable-workflows/compare/ebb4e218b75c6043139fd69a4c9bb5a465fb696b...c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0) Updates `super-linter/super-linter` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/5119dcd8011e92182ce8219d9e9efc82f16fddb6...ffde3b2b33b745cb612d787f669ef9442b1339a6) Updates `github/codeql-action` from 3.29.9 to 3.29.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/df559355d593797519d70b90fc8edd5db049e7a2...3c3833e0f8c1c83d449a7478aa59c036a9165498) --- updated-dependencies: - dependency-name: github/ospo-reusable-workflows dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: super-linter/super-linter dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: github/codeql-action dependency-version: 3.29.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-labeler.yml | 2 +- .github/workflows/linter.yaml | 2 +- .github/workflows/pr-title.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 051eff1..0fc577f 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -11,7 +11,7 @@ jobs: permissions: contents: read pull-requests: write - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: config-name: release-drafter.yml secrets: diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml index 531a1aa..8b03527 100644 --- a/.github/workflows/linter.yaml +++ b/.github/workflows/linter.yaml @@ -28,7 +28,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt -r requirements-test.txt - name: Lint Code Base - uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6 + uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6 env: DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 77afc54..66d1da6 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -12,6 +12,6 @@ jobs: contents: read pull-requests: read statuses: write - uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 secrets: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9aca14d..9206d79 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: permissions: contents: write pull-requests: read - uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: publish: true release-config-name: release-drafter.yml @@ -25,7 +25,7 @@ jobs: packages: write id-token: write attestations: write - uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: image-name: ${{ github.repository_owner }}/stale_repos full-tag: ${{ needs.release.outputs.full-tag }} @@ -40,7 +40,7 @@ jobs: permissions: contents: read discussions: write - uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b + uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0 with: full-tag: ${{ needs.release.outputs.full-tag }} body: ${{ needs.release.outputs.body }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 23c2e79..a67da4c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -42,6 +42,6 @@ jobs: path: results.sarif retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5 + uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5 with: sarif_file: results.sarif From 69629274df000c40ff42d43f61b5fb2498d4c003 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 14:20:35 -0500 Subject: [PATCH 2/4] fix: linting and copilot setup - ensure credentials are not persisted past checkout of code - add zizmor.yml file to linters to allow pull_request_target in actions for auto-labeler to work on fork pull requests - add trivy.yml file to linters to ignore mypy_cache directory - add HEALTHCHECK and non-root user to Dockerfile - setup copilot files Signed-off-by: jmeridth --- .github/copilot-instructions.md | 30 ++++++++++++++++ .github/linters/trivy.yaml | 3 ++ .github/linters/zizmor.yaml | 6 ++++ .github/workflows/copilot-setup-steps.yml | 40 +++++++++++++++++++++ .github/workflows/docker-image.yml | 2 ++ .github/workflows/linter.yaml | 5 +++ .github/workflows/major-version-updater.yml | 1 + .github/workflows/python-package.yml | 4 ++- .github/workflows/use-action.yml | 2 ++ Dockerfile | 12 ++++++- 10 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 .github/copilot-instructions.md create mode 100644 .github/linters/trivy.yaml create mode 100644 .github/linters/zizmor.yaml create mode 100644 .github/workflows/copilot-setup-steps.yml diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..ff21558 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,30 @@ +# Copilot Instructions + +This is a GitHub Action identifies and reports repositories with no activity for configurable amount of time, in order to surface inactive repos to be considered for archival. + +## Code Standards + +### Required Before Each Commit + +- Run `make lint` before committing any changes to ensure proper code linting and formatting. + +### Development Flow + +- Lint: `make lint` +- Test: `make test` + +## Repository Structure + +- `Makefile`: Contains commands for linting, testing, and other tasks +- `requirements.txt`: Python dependencies for the project +- `requirements-test.txt`: Python dependencies for testing +- `README.md`: Project documentation and setup instructions +- `setup.py`: Python package setup configuration +- `test_*.py`: Python test files matching the naming convention for test discovery + +## Key Guidelines + +1. Follow Python best practices and idiomatic patterns +2. Maintain existing code structure and organization +3. Write unit tests for new functionality. +4. Document changes to environment variables in the `README.md` file. diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml new file mode 100644 index 0000000..d543fa9 --- /dev/null +++ b/.github/linters/trivy.yaml @@ -0,0 +1,3 @@ +scan: + skip-dirs: + - .mypy_cache diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml new file mode 100644 index 0000000..9745a0a --- /dev/null +++ b/.github/linters/zizmor.yaml @@ -0,0 +1,6 @@ +rules: + dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests + ignore: + - auto-labeler.yml + - pr-title.yml + - release.yml diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml new file mode 100644 index 0000000..d33b8b6 --- /dev/null +++ b/.github/workflows/copilot-setup-steps.yml @@ -0,0 +1,40 @@ +name: "Copilot Setup Steps" + +# Automatically run the setup steps when they are changed to allow for easy validation, and +# allow manual testing through the repository's "Actions" tab +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + pull_request: + paths: + - .github/workflows/copilot-setup-steps.yml + +# Set the permissions to the lowest permissions possible needed for your steps. +# Copilot will be given its own token for its operations. +permissions: + # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. + contents: read + +jobs: + # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. + copilot-setup-steps: + runs-on: ubuntu-latest + + # You can define any steps you want, and they will run before the agent starts. + # If you do not check out your code, Copilot will do this for you. + steps: + - name: Checkout code + uses: actions/checkout@v5.0.0 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@v6.0.0 + with: + python-version: 3.12 + + - name: Install dependencies + run: | + pip install -r requirements.txt -r requirements-test.txt diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index edfd2e5..090affb 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -15,5 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Build the Docker image run: docker build . --file Dockerfile --platform linux/amd64 --tag stale_repos:"$(date +%s)" diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml index 8b03527..2273d76 100644 --- a/.github/workflows/linter.yaml +++ b/.github/workflows/linter.yaml @@ -23,6 +23,11 @@ jobs: # Full git history is needed to get a proper # list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false + - name: Setup Python + uses: actions/setup-python@v6.0.0 + with: + python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml index d778770..693997e 100644 --- a/.github/workflows/major-version-updater.yml +++ b/.github/workflows/major-version-updater.yml @@ -21,6 +21,7 @@ jobs: with: fetch-tags: true ref: ${{ github.event.inputs.TAG_NAME || github.ref }} + persist-credentials: false - name: version id: version run: | diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 0f95ae1..dc7fd47 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -20,8 +20,10 @@ jobs: python-version: [3.11, 3.12, 3.13] steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5.6.0 + uses: actions/setup-python@v6.0.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/use-action.yml b/.github/workflows/use-action.yml index c838986..c756339 100644 --- a/.github/workflows/use-action.yml +++ b/.github/workflows/use-action.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Run stale_repos tool uses: docker://ghcr.io/github/stale_repos:v3 env: diff --git a/Dockerfile b/Dockerfile index 23fd630..c4445f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,17 @@ COPY requirements.txt *.py /action/workspace/ RUN python3 -m pip install --no-cache-dir -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ + && addgroup --system appuser \ + && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \ + && chown -R appuser:appuser /action/workspace + +# Run the action as a non-root user +USER appuser + +# Add a simple healthcheck to satisfy container scanners +HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ + CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/stale_repos.py') else 1)" CMD ["/action/workspace/stale_repos.py"] ENTRYPOINT ["python3", "-u"] From a0bfa77cf743155eb61dc518a130f460f87c9480 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 14:48:30 -0500 Subject: [PATCH 3/4] fix: linting of major version updater file Signed-off-by: jmeridth --- .github/workflows/major-version-updater.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml index 693997e..2865ac8 100644 --- a/.github/workflows/major-version-updater.yml +++ b/.github/workflows/major-version-updater.yml @@ -31,5 +31,8 @@ jobs: { echo "tag=${tag}"; echo "version=${version}"; echo "major=${major}"; } >> "$GITHUB_OUTPUT" - name: force update major tag run: | - git tag -f v${{ steps.version.outputs.major }} ${{ steps.version.outputs.tag }} - git push -f origin v${{ steps.version.outputs.major }} + git tag -f v${STEPS_VERSION_OUTPUTS_MAJOR} ${STEPS_VERSION_OUTPUTS_TAG} + git push -f origin v${STEPS_VERSION_OUTPUTS_MAJOR} + env: + STEPS_VERSION_OUTPUTS_MAJOR: ${{ steps.version.outputs.major }} + STEPS_VERSION_OUTPUTS_TAG: ${{ steps.version.outputs.tag }} \ No newline at end of file From 89dc76124b16b54f04a68352b028495a98ffbf77 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Thu, 11 Sep 2025 14:51:51 -0500 Subject: [PATCH 4/4] linting: prettier Signed-off-by: jmeridth --- .github/workflows/major-version-updater.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml index 2865ac8..e037a64 100644 --- a/.github/workflows/major-version-updater.yml +++ b/.github/workflows/major-version-updater.yml @@ -35,4 +35,4 @@ jobs: git push -f origin v${STEPS_VERSION_OUTPUTS_MAJOR} env: STEPS_VERSION_OUTPUTS_MAJOR: ${{ steps.version.outputs.major }} - STEPS_VERSION_OUTPUTS_TAG: ${{ steps.version.outputs.tag }} \ No newline at end of file + STEPS_VERSION_OUTPUTS_TAG: ${{ steps.version.outputs.tag }}