Mirrors/kleinanzeigen-bot
1
0
Fork 0
mirror of https://github.com/Second-Hand-Friends/kleinanzeigen-bot.git synced 2026-03-12 02:31:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

ci: Fix CodeQL security warnings (#720)

Browse Source 
## ℹ️ Description

This PR resolves all open CodeQL security warnings by implementing
recommended security best practices for GitHub Actions workflows and
addressing code analysis findings.

**Related**: Resolves CodeQL alerts 37-53

**Motivation**: CodeQL identified 17 security warnings across our
workflows and Python code. These warnings highlight potential supply
chain security risks (unpinned actions), missing security boundaries
(workflow permissions), and false positives that needed proper
documentation.

## 📋 Changes Summary

### Security Hardening
- **Pinned all GitHub Actions to commit SHAs** (26 action references
across 5 workflows)
- Added version comments for maintainability (e.g., `@8e8c483... #
v6.0.0`)
  - Dependabot will now auto-update these pinned SHAs securely
  
### Workflow Permissions
- Added explicit `permissions` block to `update-python-deps.yml`
workflow
- Added explicit `permissions: contents: read` to `publish-coverage` job
in `build.yml`
- Follows principle of least privilege

### Dependabot Configuration
- Enhanced `.github/dependabot.yml` with action update grouping (single
PR instead of multiple)
- Added `rebase-strategy: auto` for automatic conflict resolution

### Code Quality
- Added CodeQL suppression with detailed explanation in
`src/kleinanzeigen_bot/utils/reflect.py`
- Documented why explicit `del stack` is necessary for frame cleanup
(prevents false positive)

### ⚙️ Type of Change
- [x] 🐞 Bug fix (non-breaking change which fixes an issue)
- [ ]  New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)

##  Checklist
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* CI workflows: pinned external actions to specific commits for
reproducible runs and added explicit permission scopes where required.
* Dependabot: grouped GitHub Actions updates into a single consolidated
group for unified updates and auto-rebasing.
* **Documentation**
* Expanded internal comments clarifying cleanup logic to reduce
potential reference-cycle concerns.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Jens
2025-12-11 21:24:24 +01:00
committed by GitHub
parent 385af708e5
commit efede9a5a2
7 changed files with 60 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/dependabot.yml vendored
View File

@@ -15,3 +15,6 @@ updates:
- dependencies - dependencies
- gha - gha
- pinned - pinned
groups:
all-actions:
patterns: ["*"]

40
.github/workflows/build.yml vendored
View File

@@ -104,11 +104,12 @@ jobs:
- name: Configure Fast APT Mirror - name: Configure Fast APT Mirror
uses: vegardit/fast-apt-mirror.sh@v1 uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1
- name: Git Checkout - name: Git Checkout
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
- name: "Install: Chromium Browser" - name: "Install: Chromium Browser"
@@ -122,7 +123,7 @@ jobs:
- name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm
uses: pdm-project/setup-pdm@v4 uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
with: with:
python-version: "${{ matrix.PYTHON_VERSION }}" python-version: "${{ matrix.PYTHON_VERSION }}"
cache: ${{ !startsWith(matrix.os, 'macos') }} # https://github.com/pdm-project/setup-pdm/issues/55 cache: ${{ !startsWith(matrix.os, 'macos') }} # https://github.com/pdm-project/setup-pdm/issues/55
@@ -246,7 +247,7 @@ jobs:
- name: Upload self-contained executable - name: Upload self-contained executable
uses: actions/upload-artifact@v5 uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
if: (github.ref_name == 'main' || github.ref_name == 'release') && matrix.PUBLISH_RELEASE && !env.ACT if: (github.ref_name == 'main' || github.ref_name == 'release') && matrix.PUBLISH_RELEASE && !env.ACT
with: with:
name: artifacts-${{ matrix.os }} name: artifacts-${{ matrix.os }}
@@ -276,7 +277,7 @@ jobs:
- name: Collect coverage reports - name: Collect coverage reports
uses: actions/upload-artifact@v5 uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !env.ACT if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !env.ACT
with: with:
name: coverage-${{ matrix.os }}-py${{ matrix.PYTHON_VERSION }} name: coverage-${{ matrix.os }}-py${{ matrix.PYTHON_VERSION }}
@@ -293,13 +294,17 @@ jobs:
timeout-minutes: 5 timeout-minutes: 5
if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !github.event.act if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !github.event.act
permissions:
contents: read
steps: steps:
- name: Git Checkout # required to avoid https://docs.codecov.com/docs/error-reference#unusable-reports - name: Git Checkout # required to avoid https://docs.codecov.com/docs/error-reference#unusable-reports
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
- name: Download coverage reports - name: Download coverage reports
uses: actions/download-artifact@v6 uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with: with:
pattern: coverage-* pattern: coverage-*
path: coverage path: coverage
@@ -310,7 +315,8 @@ jobs:
- name: Publish unit-test coverage - name: Publish unit-test coverage
uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
# https://github.com/codecov/codecov-action
with: with:
slug: ${{ github.repository }} slug: ${{ github.repository }}
name: unit-coverage name: unit-coverage
@@ -322,7 +328,8 @@ jobs:
- name: Publish integration-test coverage - name: Publish integration-test coverage
uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
# https://github.com/codecov/codecov-action
with: with:
slug: ${{ github.repository }} slug: ${{ github.repository }}
name: integration-coverage name: integration-coverage
@@ -334,7 +341,8 @@ jobs:
- name: Publish smoke-test coverage - name: Publish smoke-test coverage
uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
# https://github.com/codecov/codecov-action
with: with:
slug: ${{ github.repository }} slug: ${{ github.repository }}
name: smoke-coverage name: smoke-coverage
@@ -379,17 +387,18 @@ jobs:
- name: Configure Fast APT Mirror - name: Configure Fast APT Mirror
uses: vegardit/fast-apt-mirror.sh@v1 uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1
- name: Git Checkout - name: Git Checkout
# only required by "gh release create" to prevent "fatal: Not a git repository" # only required by "gh release create" to prevent "fatal: Not a git repository"
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
- name: Delete untagged docker image - name: Delete untagged docker image
continue-on-error: true continue-on-error: true
uses: actions/delete-package-versions@v5 uses: actions/delete-package-versions@25ad4af5be03aef10e0b3376b248688b7a44c40b # v5.0.0
with: with:
token: ${{ github.token }} token: ${{ github.token }}
delete-only-untagged-versions: true delete-only-untagged-versions: true
@@ -398,7 +407,7 @@ jobs:
- name: Download build artifacts - name: Download build artifacts
uses: actions/download-artifact@v6 uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
- name: Rename build artifacts - name: Rename build artifacts
@@ -482,7 +491,8 @@ jobs:
- name: "Delete intermediate build artifacts" - name: "Delete intermediate build artifacts"
uses: geekyeggo/delete-artifact@v5 # https://github.com/GeekyEggo/delete-artifact/ uses: geekyeggo/delete-artifact@b54d29a59e55046d1f7fc8226cdda507e6b9cf62 # v5.0.0
# https://github.com/GeekyEggo/delete-artifact/
with: with:
name: "*" name: "*"
failOnError: false failOnError: false

11
.github/workflows/codeql-analysis.yml vendored
View File

@@ -67,11 +67,12 @@ jobs:
- name: Git Checkout - name: Git Checkout
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
- name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm
uses: pdm-project/setup-pdm@v4 uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
with: with:
python-version: "${{ env.PYTHON_VERSION }}" python-version: "${{ env.PYTHON_VERSION }}"
cache: true cache: true
@@ -91,7 +92,8 @@ jobs:
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v4 # https://github.com/github/codeql-action/blob/main/init/action.yml uses: github/codeql-action/init@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0
# https://github.com/github/codeql-action/blob/main/init/action.yml
with: with:
languages: actions,python languages: actions,python
# https://github.com/github/codeql-action#build-modes # https://github.com/github/codeql-action#build-modes
@@ -100,4 +102,5 @@ jobs:
queries: security-and-quality queries: security-and-quality
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4 # https://github.com/github/codeql-action uses: github/codeql-action/analyze@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0
# https://github.com/github/codeql-action

6
.github/workflows/publish-release.yml vendored
View File

@@ -38,7 +38,8 @@ jobs:
- name: Generate GitHub Access Token - name: Generate GitHub Access Token
uses: tibdex/github-app-token@v2 # https://github.com/tibdex/github-app-token uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
# https://github.com/tibdex/github-app-token
id: generate_token id: generate_token
# see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
with: with:
@@ -48,7 +49,8 @@ jobs:
- name: Git Checkout - name: Git Checkout
uses: actions/checkout@v5 # https://github.com/actions/checkout uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.0
# https://github.com/actions/checkout
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
ref: main ref: main

15
.github/workflows/update-python-deps.yml vendored
View File

@@ -19,6 +19,10 @@ defaults:
env: env:
PYTHON_VERSION: "3.10" PYTHON_VERSION: "3.10"
permissions:
contents: write
pull-requests: write
jobs: jobs:
########################################################### ###########################################################
@@ -39,7 +43,8 @@ jobs:
- name: Generate GitHub Access Token - name: Generate GitHub Access Token
uses: tibdex/github-app-token@v2 # https://github.com/tibdex/github-app-token uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
# https://github.com/tibdex/github-app-token
id: generate_token id: generate_token
# see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
with: with:
@@ -49,13 +54,14 @@ jobs:
- name: Git Checkout - name: Git Checkout
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
- name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm
uses: pdm-project/setup-pdm@v4 uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
with: with:
python-version: "${{ env.PYTHON_VERSION }}" python-version: "${{ env.PYTHON_VERSION }}"
cache: true cache: true
@@ -101,7 +107,8 @@ jobs:
- name: Create PR - name: Create PR
uses: peter-evans/create-pull-request@v7 # https://github.com/peter-evans/create-pull-request uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.5
# https://github.com/peter-evans/create-pull-request
if: "${{ steps.update_deps.outputs.updates != '' }}" if: "${{ steps.update_deps.outputs.updates != '' }}"
with: with:
title: "chore: ${{ steps.update_deps.outputs.title }}" title: "chore: ${{ steps.update_deps.outputs.title }}"

6
.github/workflows/validate-pr-title.yml vendored
View File

@@ -17,7 +17,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: "Validate semantic PR title" - name: "Validate semantic PR title"
uses: amannn/action-semantic-pull-request@v6 # https://github.com/amannn/action-semantic-pull-request uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.0.0
# https://github.com/amannn/action-semantic-pull-request
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:
@@ -42,6 +43,7 @@ jobs:
requireScope: false requireScope: false
- name: "Label PR" - name: "Label PR"
uses: srvaroa/labeler@v1.13.0 # https://github.com/srvaroa/labeler uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0
# https://github.com/srvaroa/labeler
env: env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

7
src/kleinanzeigen_bot/utils/reflect.py
View File

@@ -13,7 +13,12 @@ def get_caller(depth:int = 1) -> inspect.FrameInfo | None:
return frame return frame
return None return None
finally: finally:
del stack # Clean up the stack to avoid reference cycles # Explicitly delete stack frames to prevent reference cycles and potential memory leaks.
# inspect.stack() returns FrameInfo objects that contain references to frame objects,
# which can create circular references. While Python's GC handles this, explicit cleanup
# is recommended per Python docs: https://docs.python.org/3/library/inspect.html#the-interpreter-stack
# codeql[py/unnecessary-delete]
del stack
def is_integer(obj:Any) -> bool: def is_integer(obj:Any) -> bool: