mirror of
https://github.com/Second-Hand-Friends/kleinanzeigen-bot.git
synced 2026-03-12 18:41:50 +01:00
efede9a5a2
## ℹ️ Description This PR resolves all open CodeQL security warnings by implementing recommended security best practices for GitHub Actions workflows and addressing code analysis findings. **Related**: Resolves CodeQL alerts 37-53 **Motivation**: CodeQL identified 17 security warnings across our workflows and Python code. These warnings highlight potential supply chain security risks (unpinned actions), missing security boundaries (workflow permissions), and false positives that needed proper documentation. ## 📋 Changes Summary ### Security Hardening - **Pinned all GitHub Actions to commit SHAs** (26 action references across 5 workflows) - Added version comments for maintainability (e.g., `@8e8c483... # v6.0.0`) - Dependabot will now auto-update these pinned SHAs securely ### Workflow Permissions - Added explicit `permissions` block to `update-python-deps.yml` workflow - Added explicit `permissions: contents: read` to `publish-coverage` job in `build.yml` - Follows principle of least privilege ### Dependabot Configuration - Enhanced `.github/dependabot.yml` with action update grouping (single PR instead of multiple) - Added `rebase-strategy: auto` for automatic conflict resolution ### Code Quality - Added CodeQL suppression with detailed explanation in `src/kleinanzeigen_bot/utils/reflect.py` - Documented why explicit `del stack` is necessary for frame cleanup (prevents false positive) ### ⚙️ Type of Change - [x] 🐞 Bug fix (non-breaking change which fixes an issue) - [ ] ✨ New feature (adds new functionality without breaking existing usage) - [ ] 💥 Breaking change (changes that might break existing user setups, scripts, or configurations) ## ✅ Checklist - [x] I have reviewed my changes to ensure they meet the project's standards. - [x] I have tested my changes and ensured that all tests pass (`pdm run test`). - [x] I have formatted the code (`pdm run format`). - [x] I have verified that linting passes (`pdm run lint`). - [x] I have updated documentation where necessary. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * CI workflows: pinned external actions to specific commits for reproducible runs and added explicit permission scopes where required. * Dependabot: grouped GitHub Actions updates into a single consolidated group for unified updates and auto-rebasing. * **Documentation** * Expanded internal comments clarifying cleanup logic to reduce potential reference-cycle concerns. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1.3 KiB
1.3 KiB