Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move deps to requirements txt #245

Merged
merged 6 commits into from
Jan 28, 2025
Merged

Move deps to requirements txt #245

merged 6 commits into from
Jan 28, 2025

Conversation

bact
Copy link
Collaborator

@bact bact commented Jan 27, 2025
edited
Loading

Looks like the dependency pinning way that will satisfy security scan is to put Python dependencies in requirements.txt.
This PR creates "requirements.txt" for each workflow:

  • apidoc.yml uses .github/requirements/apidoc.txt
  • pylint.yml uses .github/requirements/pylint.txt
  • python-publish.yml uses .github/requirements/python-publish.txt

Should addresses issues like ones in

This PR also move top-level permissions to the job-level, to address Token-Permissions warning.

--

Note: This PR doesn't touch build.yml yet as I still have to figure out how to do this without failing pytest.

bact added 4 commits January 27, 2025 21:32
@bact
Pin dependencies in requirements.txt
42c7373 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact
Fix path
09d93a0 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact
Revert build.yml
1e69bd0 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact
Revert Pipfile packages section
14089a3 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact bact added the github_actions Pull requests that update GitHub Actions code label Jan 27, 2025
@bact bact marked this pull request as draft January 27, 2025 22:20
@jspeed-meyers jspeed-meyers self-requested a review January 27, 2025 22:29
@bact
Revert Pipfile
7e71d4a 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact bact marked this pull request as ready for review January 27, 2025 22:32
@bact
Copy link
Collaborator Author

bact commented Jan 27, 2025

@jspeed-meyers I'm not 100% sure if this will resolve the issue, I just try to follow the suggestions provided by the code scanning page. Please see if this makes sense.

@bact
Move permission to job level
0a2abeb 
Was at top level

Signed-off-by: Arthit Suriyawongkul <[email protected]>
@jspeed-meyers
Copy link
Collaborator

@bact: Looks good to me. Let's try it! TY!

@jspeed-meyers jspeed-meyers merged commit 9e82e73 into spdx:main Jan 28, 2025
6 checks passed
@bact bact mentioned this pull request Jan 28, 2025
Merged
@bact bact deleted the move-deps-to-requirements-txt branch March 12, 2025 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jspeed-meyers jspeed-meyers jspeed-meyers approved these changes

Assignees

@bact bact

Labels
github_actions Pull requests that update GitHub Actions code security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bact @jspeed-meyers