Mirrors/kleinanzeigen-bot
1
0
Fork 0
mirror of https://github.com/Second-Hand-Friends/kleinanzeigen-bot.git synced 2026-03-12 10:31:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
efede9a5a2fd9c67a5afe58cc55d7663142ee43d
kleinanzeigen-bot/.github/workflows/update-python-deps.yml
Jens efede9a5a2 ci: Fix CodeQL security warnings (#720) 
## ℹ️ Description

This PR resolves all open CodeQL security warnings by implementing
recommended security best practices for GitHub Actions workflows and
addressing code analysis findings.

**Related**: Resolves CodeQL alerts 37-53

**Motivation**: CodeQL identified 17 security warnings across our
workflows and Python code. These warnings highlight potential supply
chain security risks (unpinned actions), missing security boundaries
(workflow permissions), and false positives that needed proper
documentation.

## 📋 Changes Summary

### Security Hardening
- **Pinned all GitHub Actions to commit SHAs** (26 action references
across 5 workflows)
- Added version comments for maintainability (e.g., `@8e8c483... #
v6.0.0`)
  - Dependabot will now auto-update these pinned SHAs securely
  
### Workflow Permissions
- Added explicit `permissions` block to `update-python-deps.yml`
workflow
- Added explicit `permissions: contents: read` to `publish-coverage` job
in `build.yml`
- Follows principle of least privilege

### Dependabot Configuration
- Enhanced `.github/dependabot.yml` with action update grouping (single
PR instead of multiple)
- Added `rebase-strategy: auto` for automatic conflict resolution

### Code Quality
- Added CodeQL suppression with detailed explanation in
`src/kleinanzeigen_bot/utils/reflect.py`
- Documented why explicit `del stack` is necessary for frame cleanup
(prevents false positive)

### ⚙️ Type of Change
- [x] 🐞 Bug fix (non-breaking change which fixes an issue)
- [ ]  New feature (adds new functionality without breaking existing
usage)
- [ ] 💥 Breaking change (changes that might break existing user setups,
scripts, or configurations)

##  Checklist
- [x] I have reviewed my changes to ensure they meet the project's
standards.
- [x] I have tested my changes and ensured that all tests pass (`pdm run
test`).
- [x] I have formatted the code (`pdm run format`).
- [x] I have verified that linting passes (`pdm run lint`).
- [x] I have updated documentation where necessary.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* CI workflows: pinned external actions to specific commits for
reproducible runs and added explicit permission scopes where required.
* Dependabot: grouped GitHub Actions updates into a single consolidated
group for unified updates and auto-rebasing.
* **Documentation**
* Expanded internal comments clarifying cleanup logic to reduce
potential reference-cycle concerns.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-12-11 21:24:24 +01:00

123 lines
4.1 KiB
YAML
Raw Blame History

# SPDX-FileCopyrightText: © Sebastian Thomschke and contributors
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-ArtifactOfProjectHomePage: https://github.com/Second-Hand-Friends/kleinanzeigen-bot/
#
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
name: Update Python Dependencies
on:
schedule:
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 10 * * *' # daily at 10 a.m.
workflow_dispatch:
# https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
defaults:
run:
shell: bash
env:
PYTHON_VERSION: "3.10"
permissions:
contents: write
pull-requests: write
jobs:
###########################################################
update-python-deps:
###########################################################
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: "Show: GitHub context"
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo $GITHUB_CONTEXT
- name: "Show: environment variables"
run: env | sort
- name: Generate GitHub Access Token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
# https://github.com/tibdex/github-app-token
id: generate_token
# see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
with:
# see https://github.com/organizations/Second-Hand-Friends/settings/apps/kleinanzeigen-bot-tu
app_id: ${{ secrets.DEPS_UPDATER_APP_ID }}
private_key: ${{ secrets.DEPS_UPDATER_PRIVATE_KEY }}
- name: Git Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
# https://github.com/actions/checkout
with:
token: ${{ steps.generate_token.outputs.token }}
- name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm
uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
with:
python-version: "${{ env.PYTHON_VERSION }}"
cache: true
- name: "Install: Python dependencies"
run: |
set -eux
python --version
python -m pip install --upgrade pip
pip install --upgrade pdm
if [[ ! -e .venv ]]; then
pdm venv create || true
fi
pdm sync --clean -v
- name: Update Python dependencies
id: update_deps
run: |
set -euo pipefail
set -x
exec 5>&1
updates=$(pdm update --update-all 2>&1 | tee /dev/fd/5)
if git diff --exit-code pdm.lock; then
echo "updates=" >> "$GITHUB_OUTPUT"
else
updates="$(echo "$updates" | grep Update | grep -v kleinanzeigen-bot || true)"
if [[ $(wc -l <<< "$updates") -eq 1 ]]; then
echo "title=$(echo "$updates" | head -n 1 | sed 's/ successful//')" >> "${GITHUB_OUTPUT}"
else
echo "title=Update Python dependencies" >> "${GITHUB_OUTPUT}"
fi
# https://github.com/orgs/community/discussions/26288#discussioncomment-3876281
delimiter="$(openssl rand -hex 8)"
echo "updates<<${delimiter}" >> "${GITHUB_OUTPUT}"
echo "$updates" >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
fi
- name: Create PR
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.5
# https://github.com/peter-evans/create-pull-request
if: "${{ steps.update_deps.outputs.updates != '' }}"
with:
title: "chore: ${{ steps.update_deps.outputs.title }}"
author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
committer: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
commit-message: "chore: ${{ steps.update_deps.outputs.title }}"
body: ${{ steps.update_deps.outputs.updates }}
add-paths: pdm.lock
branch: dependencies/pdm
delete-branch: true
token: ${{ steps.generate_token.outputs.token }}
Reference in New Issue View Git Blame Copy Permalink