From dabc984b09dd5dd24cd3f7ca697c34ba812bedc0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 30 Nov 2024 03:37:56 +0000 Subject: [PATCH 1/2] add Renovate and custom workflow files --- .github/ISSUE_TEMPLATE/bug_report.md | 36 ---- .github/ISSUE_TEMPLATE/feature_request.md | 26 --- .github/bump_version.py | 23 --- .github/pr-labeler.yml | 7 - .github/workflows/black-format-code.yml | 58 ------ .github/workflows/docs-check.yaml | 38 ---- .github/workflows/docs-publish.yaml | 49 ----- .github/workflows/pr-labeler.yaml | 19 -- .github/workflows/python-build.yaml | 69 ------- .github/workflows/python-upload-package.yaml | 34 ---- .github/workflows/release.yaml | 52 ------ .github/workflows/reuse-compliance.yaml | 18 -- .github/workflows/sonarcloud.yml | 72 -------- .github/workflows/sync-fork.yml | 89 +++++++++ .../trivy-dependencies-submission.yml | 27 +++ .gitignore | 174 ------------------ renovate.json5 | 12 ++ 17 files changed, 128 insertions(+), 675 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md delete mode 100644 .github/bump_version.py delete mode 100644 .github/pr-labeler.yml delete mode 100644 .github/workflows/black-format-code.yml delete mode 100644 .github/workflows/docs-check.yaml delete mode 100644 .github/workflows/docs-publish.yaml delete mode 100644 .github/workflows/pr-labeler.yaml delete mode 100644 .github/workflows/python-build.yaml delete mode 100644 .github/workflows/python-upload-package.yaml delete mode 100644 .github/workflows/release.yaml delete mode 100644 .github/workflows/reuse-compliance.yaml delete mode 100644 .github/workflows/sonarcloud.yml create mode 100644 .github/workflows/sync-fork.yml create mode 100644 .github/workflows/trivy-dependencies-submission.yml delete mode 100644 .gitignore create mode 100644 renovate.json5 diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 7baa2061c..000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,36 +0,0 @@ - ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: '' -assignees: '' - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: -1. Go to '...' -2. Click on '....' - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Desktop (please complete the following information):** - - OS: [e.g. iOS] - - Browser [e.g. chrome, safari] - - Version [e.g. 22] - - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 091974c23..000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,26 +0,0 @@ - - ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: '' -assignees: '' - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/bump_version.py b/.github/bump_version.py deleted file mode 100644 index f60157947..000000000 --- a/.github/bump_version.py +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 - -import re - -with open("setup.py", "r") as file: - version_content = file.read() -# Match regex for pattern -old_semantic_version = re.findall( - r'version="(\d+\.\d+\.[a-zA-Z0-9]+)",', version_content -) -major_version, minor_version, patch_version = old_semantic_version[0].split(".") -patch_version = int(re.findall(r"\d+", patch_version)[0]) -new_semantic_version = f"{major_version}.{minor_version}.{patch_version + 1}" -regex_bumped_patch_version = f"\g<1>{new_semantic_version}" -# Match regex for pattern -bumped_version_content = re.sub( - r'(version=")\d+\.\d+\.[a-zA-Z0-9]+', regex_bumped_patch_version, version_content -) -with open("setup.py", "w") as file: - file.write(bumped_version_content) -print(new_semantic_version) # Print is required for release in github action diff --git a/.github/pr-labeler.yml b/.github/pr-labeler.yml deleted file mode 100644 index 5d25e2adc..000000000 --- a/.github/pr-labeler.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -# config of action in ./workflows/... -feature: ['feature*', 'feat*'] -fix: ['fix*','bugfix*','hotfix*'] -chore: ['chore*', 'doc*'] diff --git a/.github/workflows/black-format-code.yml b/.github/workflows/black-format-code.yml deleted file mode 100644 index fe606a5e9..000000000 --- a/.github/workflows/black-format-code.yml +++ /dev/null @@ -1,58 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 - -# Copied from https://github.com/psf/black/actions/runs/17913292/workflow - -# GitHub Action that uses Black to reformat the Python code in an incoming pull request. -# If all Python code in the pull request is compliant with Black then this Action -# does nothing. Otherwise, Black is run and its changes are committed to the -# incoming pull request. See https://github.com/cclauss/autoblack for a similar example. - -name: Black Format Code - -on: [pull_request] - -jobs: - build: - - runs-on: ubuntu-latest - strategy: - matrix: - python-version: ['3.11'] - - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push the - # added or changed files to the repository. - contents: write - - steps: - # Checkout - - name: Checkout - uses: actions/checkout@v2 - # Setup - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - # Install black - - name: Install Black - run: pip install black==23.9.1 pydocstyle==6.1.1 docformatter==1.5.0 toml==0.10.2 - # Run black --check - - name: Run black --check . and PydocStyle check - run: | - black --check . - pydocstyle . - # Run black (if needed) - - name: If needed, commit black changes to the pull request - if: failure() - run: | - black . - docformatter openstef --recursive --wrap-summaries 120 --in-place - git config --global user.name 'black' - git config --global user.email 'action@github.com' - git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY - git fetch - git checkout ${{ github.head_ref }} - git commit --signoff -am "Format Python code with Black" - git push diff --git a/.github/workflows/docs-check.yaml b/.github/workflows/docs-check.yaml deleted file mode 100644 index ea5351900..000000000 --- a/.github/workflows/docs-check.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project -# -# SPDX-License-Identifier: MPL-2.0 -name: Docs Check - -# Check docs when directly editing develop or main -# and on pull request -on: - push: - branches: - - main - pull_request: - branches: - - "**" - -jobs: - docs: - runs-on: ubuntu-latest - steps: - # Checkout - - name: Checkout code - uses: actions/checkout@v2 - - # Setup python version - - uses: actions/setup-python@v4 - with: - python-version: '3.11' - - # Build documentation - - name: Build documentation - run: | - cp requirements.txt docs/requirements.txt &&\ - printf "\npydata-sphinx-theme==0.12.0\n" >> docs/requirements.txt &&\ - printf "\njinja2==3.0.0\n" >> docs/requirements.txt &&\ - printf "\nsphinx_autodoc_typehints==1.19.4\n" >> docs/requirements.txt &&\ - printf "\nmkdocs==1.2.3\n" >> docs/requirements.txt &&\ - pip install -r docs/requirements.txt &&\ - sphinx-apidoc -o docs openstef diff --git a/.github/workflows/docs-publish.yaml b/.github/workflows/docs-publish.yaml deleted file mode 100644 index 5034f79d2..000000000 --- a/.github/workflows/docs-publish.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -name: Deploy Sphinx documentation to Pages - -# Runs on pushes targeting the default branch -on: - push: - branches: [main] - -jobs: - build: - runs-on: ubuntu-latest - - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push the - # added or changed files to the repository. - contents: write - - steps: - - uses: actions/setup-python@v2 - - uses: actions/checkout@master - with: - fetch-depth: 0 # otherwise, you will fail to push refs to dest repo - - # Setup python version - - uses: actions/setup-python@v4 - with: - python-version: '3.11' - # Run pre-build command - - run: | - cp requirements.txt docs/requirements.txt &&\ - printf "\npydata-sphinx-theme==0.12.0\n" >> docs/requirements.txt &&\ - printf "\njinja2==3.0.0\n" >> docs/requirements.txt &&\ - printf "\nsphinx_autodoc_typehints==1.19.4\n" >> docs/requirements.txt &&\ - printf "\nmkdocs==1.2.3\n" >> docs/requirements.txt &&\ - pip install -r docs/requirements.txt &&\ - sphinx-apidoc -o docs openstef - - - name: Build and commit - uses: sphinx-notes/pages@v2 - with: - requirements_path: ./docs/requirements.txt - - - name: Push changes - uses: ad-m/github-push-action@master - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - branch: gh-pages diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml deleted file mode 100644 index 19cd88b4e..000000000 --- a/.github/workflows/pr-labeler.yaml +++ /dev/null @@ -1,19 +0,0 @@ - -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -# Automatically label PRs, config in ../pr-labler.yml -name: PR Labeler -on: - pull_request: - types: [opened] - -jobs: - pr-labeler: - runs-on: ubuntu-latest - steps: - - uses: TimonVS/pr-labeler-action@v3 - with: - configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/python-build.yaml b/.github/workflows/python-build.yaml deleted file mode 100644 index 828834f58..000000000 --- a/.github/workflows/python-build.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -name: Python Build - -on: - pull_request: - push: - branches: - - main - -jobs: - build: - name: Python Build - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.11] - - steps: - # Checkout - - name: Checkout code - uses: actions/checkout@v2 - with: - fetch-depth: 0 - # Setup - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - # Restore - - name: Restore pip cache - uses: actions/cache@v2 - with: - # This path is specific to Ubuntu - path: ~/.cache/pip - # Look to see if there is a cache hit for the corresponding requirements file - key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - ${{ runner.os }}- - # Install - - name: Install dependencies - run: | - python -m pip install --upgrade pip setuptools wheel - pip install -r requirements.txt - # Very limited linting with Flake8 (see setup.cfg for configuration) - - name: Lint - run: | - pip install flake8 - # Stop build on a couple more serious violations - # See https://flake8.pycqa.org/en/latest/user/error-codes.html for more details - flake8 . --count --select=E9,F63,F7,F8 --show-source --statistics - # Only print warnings on all other errors - flake8 . --count --exit-zero --show-source --statistics - # Test - - name: Unit test with pytest - run: | - pip install -r test-requirements.txt - pytest --cov-report=xml --cov=openstef/ test/ --junitxml=pytest-report.xml - # Fix relative paths in coverage file - # Known bug: https://community.sonarsource.com/t/sonar-on-github-actions-with-python-coverage-source-issue/36057 - - name: fix code coverage paths - run: | - sed -i 's/\/home\/runner\/work\/openstef\/openstef\//\/github\/workspace\//g' coverage.xml - # Build - - name: Build Python package - run: | - python setup.py sdist bdist_wheel diff --git a/.github/workflows/python-upload-package.yaml b/.github/workflows/python-upload-package.yaml deleted file mode 100644 index 81520cba2..000000000 --- a/.github/workflows/python-upload-package.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -name: Python Upload Package - -on: - - release - -jobs: - deploy: - runs-on: ubuntu-latest - environment: release - permissions: - # IMPORTANT: this permission is mandatory for trusted publishing - id-token: write - steps: - # Checkout - - name: Checkout code - uses: actions/checkout@v2 - # Setup - - name: Set up Python - uses: actions/setup-python@v2 - with: - python-version: '3.x' - # Install (packaging) dependencies - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install setuptools wheel twine - # Build and publish - - name: Build - run: python setup.py sdist bdist_wheel - - name: Publish - uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 03beb49a8..000000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 - -name: Release - -# Trigger when a python file is changed on main branch either from pull request or push -# but not when only setup.py is changed due to version bump -on: - push: - branches: - - 'main' - paths: - - '**.py' - - '!setup.py' - - 'requirements.txt' - workflow_dispatch: - -jobs: - # Releases new Python version when Pull Requests are merged into "main" - release: - runs-on: ubuntu-latest - steps: - # Checkout - - name: Checkout - uses: actions/checkout@v2 - with: - persist-credentials: false - # Setup - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - # Bump and commit version. The upload to pypi step happens after github release. - - name: Bump version and commit bumped version back to branch - env: - GITHUB_ACCESS_TOKEN: ${{ secrets.OPENSTEF_GITHUB_TOKEN }} - id: version - run: | - version=$(python .github/bump_version.py) - git config --global user.name 'bump_version' - git config --global user.email 'action@github.com' - git remote set-url origin "https://$GITHUB_ACCESS_TOKEN@github.com/$GITHUB_REPOSITORY" - git commit --signoff -am "Bumped minor version" - git push - echo "BUMPED_VERSION=$(echo v$version)" >> $GITHUB_ENV - echo "New version: $version" - # Create new release (does not work with standard github token, but needs PAT) - - name: Create Release - run: gh release create ${{ env.BUMPED_VERSION }} --generate-notes - env: - GITHUB_TOKEN: ${{ secrets.OPENSTEF_GITHUB_TOKEN }} diff --git a/.github/workflows/reuse-compliance.yaml b/.github/workflows/reuse-compliance.yaml deleted file mode 100644 index 869fa2a4f..000000000 --- a/.github/workflows/reuse-compliance.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 -name: REUSE Compliance Check - -on: - - push - -jobs: - test: - runs-on: ubuntu-latest - steps: - # Checkout - - name: checkout - uses: actions/checkout@v2 - # Reuse - - name: REUSE Compliance Check - uses: fsfe/reuse-action@v1 diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml deleted file mode 100644 index 5abf3ed9d..000000000 --- a/.github/workflows/sonarcloud.yml +++ /dev/null @@ -1,72 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501 -# -# SPDX-License-Identifier: MPL-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow helps you trigger a SonarCloud analysis of your code and populates -# GitHub Code Scanning alerts with the vulnerabilities found. -# Free for open source project. - -# 1. Login to SonarCloud.io using your GitHub account - -# 2. Import your project on SonarCloud -# * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, -# which means that the analysis will start automatically without the need to set up GitHub Actions. -# * This behavior can be changed in Administration > Analysis Method. -# -# 3. Follow the SonarCloud in-product tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) -# -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) - -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) - -name: SonarCloud analysis - -on: - workflow_run: - workflows: - - "Python Build" - types: - - completed - workflow_dispatch: - -permissions: - pull-requests: read # allows SonarCloud to decorate PRs with analysis results - -jobs: - Analysis: - runs-on: ubuntu-latest - steps: - # Checkout main to get access to the SONAR_TOKEN. PR from forked repo does not have access to it. - - uses: actions/checkout@v4 - with: - repository: ${{ github.event.workflow_run.head_repository.full_name }} - ref: ${{ github.event.workflow_run.head_branch }} - fetch-depth: 0 - - name: Analyze with SonarCloud - if: ${{ github.actor != 'dependabot[bot]' }} - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@v2.2.0 - uses: SonarSource/sonarcloud-github-action@master - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Additional arguments for the SonarScanner CLI - args: > - -Dsonar.projectKey=OpenSTEF_openstef - -Dsonar.organization=openstef - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }} - -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }} - -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }} diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml new file mode 100644 index 000000000..42ba38054 --- /dev/null +++ b/.github/workflows/sync-fork.yml @@ -0,0 +1,89 @@ +name: Sync fork + +on: + workflow_dispatch: {} + schedule: + - cron: "15 3 * * *" # Run every day at 3:15 UTC + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout fork's default branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: "fork" + token: ${{ secrets.GH_PAT }} + - name: Checkout fork's configuration branch + uses: actions/checkout@v4 + with: + path: "configuration" + ref: "renovate-and-workflow-files" + token: ${{ secrets.GH_PAT }} + - name: Determine Upstream clone URL + id: upstream-repo-clone-url + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.clone_url; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Determine Upstream default branch + id: upstream-repo-default-branch + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.default_branch; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Sync fork with upstream + run: | + set -ex + cd fork + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }} + git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }} + UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H") + PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash) + if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then + echo "No need to sync, already up-to-date" + exit 0 + fi + + git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }} + # Enforce the usage of our own config (renovate.json5) + git rm renovate.json* || true + # Avoid problems where an existing .gitignore file would prevent committing our configuration files + git rm .gitignore || true + # Delete existing workflows, we don't need to run them in our fork + rm -rf .github || true + # Instead of using "cp -r", rsync allows us to exclude the .git directory + rsync -av --exclude '.git' ../configuration/ . + rm upstream_commit_hash + git add . + git commit -m "add Renovate and custom workflow files" + git push --force-with-lease + + cd ../configuration + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash + git add upstream_commit_hash + git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH" + git push diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml new file mode 100644 index 000000000..71f59af7e --- /dev/null +++ b/.github/workflows/trivy-dependencies-submission.yml @@ -0,0 +1,27 @@ +name: SBOM upload from Trivy + +on: + workflow_dispatch: {} + schedule: + - cron: "0 9 */5 * *" # Run every fifth day at 9 AM UTC + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'github' + output: 'trivy-results.gsbom' + github-pat: ${{ secrets.GITHUB_TOKEN }} # this causes a curl call to upload the snapshot + + - name: Upload report file + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.gsbom diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 64f3b3fe4..000000000 --- a/.gitignore +++ /dev/null @@ -1,174 +0,0 @@ -# SPDX-FileCopyrightText: 2017-2023 Contributors to the OpenSTEF project # noqa E501> - -# SPDX-License-Identifier: MPL-2.0 - -# Optional local user config -config.user.yaml -git-template - -# Ignore these folders -prof/ -docs/build/ -output/ -certificates/ -ktprognoses.egg-info/ -.idea/ -.vscode/ -test/component/mlruns -test/component/307 -test/unit/trained_models/307 -test/unit/trained_models/mlruns/* -!test/unit/trained_models/mlruns/893156335105023143/ - -# Ignore these files -.DS_Store -tmp - - -# default Python .gitignore template: https://raw.githubusercontent.com/github/gitignore/master/Python.gitignore - -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ -pytest-report.xml - - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ -docs/openstef*.rst -docs/modules*.rst - - -# PyBuilder -.pybuilder/ -target/ - - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ -test/test/ diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 000000000..53fe2ac32 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":disableRateLimiting" + ], + "labels": ["dependencies", "depManager:{{{manager}}}"], + "vulnerabilityAlerts": { + "labels": ["security", "dependencies", "depManager:{{{manager}}}"], + }, + "forkProcessing": "enabled" +} From df4fbb22649bfe94c8798f95d2cfb15902bc79fb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 2 Dec 2024 05:57:20 +0000 Subject: [PATCH 2/2] chore(deps): update dependency pytest to v8 --- test-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-requirements.txt b/test-requirements.txt index ce1a2ffb0..23cc69a36 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -13,6 +13,6 @@ freezegun~=1.2.2 isort==5.10.1 pydocstyle==6.1.1 pylint==2.15.4 -pytest==7.1.3 +pytest==8.3.4 pytest-asyncio==0.19.0 pytest-cov==4.0.0