Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin dependencies #239

Merged
merged 3 commits into from
Jan 27, 2025
Merged

Pin dependencies #239

merged 3 commits into from
Jan 27, 2025

Conversation

bact
Copy link
Collaborator

@bact bact commented Jan 27, 2025
edited
Loading

To fix some OpenSSF code scanning warnings

  • Pin Python dependencies
  • Limit scope of permissions in apidoc workflow
  • Upgrade actions/upload-artifact to v4 (v3 is deprecated on 30 Nov 2024)

See: https://github.com/spdx/ntia-conformance-checker/security/code-scanning

@bact
Pin dependencies
2e8e929 
To fix code scanning warnings

Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact bact added the security label Jan 27, 2025
@bact bact requested a review from jspeed-meyers January 27, 2025 01:35
@bact
Pretty indent
18aecbf 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
jspeed-meyers
jspeed-meyers reviewed Jan 27, 2025
View reviewed changes
.github/workflows/apidoc.yml
python -m pip install --upgrade pip
pip install spdx-tools
pip install sphinx sphinx_rtd_theme
pip install pip==25.0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First, thank you for this PR. Good idea!

One question I've asked myself: Will dependabot check for and update these dependency version numbers that are in the GitHub Actions .yml files? I think not, but maybe I'm wrong? I ask this because I worry about remembering to update these version numbers occasionally.

I also wonder if it's possible to configure dependabot to check these .yml files for Python dependency updates? Just some thoughts. I say we merge this PR, but I wanted to raise this point for discussion.

Again, good call on this PR!

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I have seen on other repos (spdx-spec and spdx-3-model), dependabot does check Python dependencies in workflow ymls.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. Sounds good!

jspeed-meyers
jspeed-meyers approved these changes Jan 27, 2025
View reviewed changes
Copy link
Collaborator

@jspeed-meyers jspeed-meyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TY! LGTM.

@bact
Copy link
Collaborator Author

bact commented Jan 27, 2025

After this got merge, will wait the scorecard/code scanning to update and see if #222 is solved.

@jspeed-meyers jspeed-meyers merged commit c4277ea into spdx:main Jan 27, 2025
6 checks passed
This was referenced Jan 27, 2025
Closed
Closed
@bact bact mentioned this pull request Jan 27, 2025
Merged
@bact bact added the github_actions Pull requests that update GitHub Actions code label Jan 27, 2025
@bact bact deleted the improve-openssf-scorecard branch January 27, 2025 05:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jspeed-meyers jspeed-meyers jspeed-meyers approved these changes

Assignees

@bact bact

Labels
github_actions Pull requests that update GitHub Actions code security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bact @jspeed-meyers