OpenSource/python-telegram-bot
OpenSource/python-telegram-bot
1
0
Fork 0
mirror of https://github.com/python-telegram-bot/python-telegram-bot.git synced 2024-12-21 22:15:09 +01:00
Code Issues Projects Releases Packages Wiki Activity

Add Static Security Analysis of GitHub Actions Workflows (#4606)

Browse source
This commit is contained in:
Bibo-Joshi 2024-12-13 22:16:31 +01:00 committed by GitHub
parent 2ac52018c2
commit 4afe174b5c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 89 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/dependabot-prs.yml vendored
View file

@ -16,14 +16,15 @@ jobs:
- name: Fetch Dependabot metadata - name: Fetch Dependabot metadata
id: dependabot-metadata id: dependabot-metadata
uses: dependabot/fetch-metadata@v2.2.0 uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
ref: ${{ github.event.pull_request.head.ref }} ref: ${{ github.event.pull_request.head.ref }}
persist-credentials: false
- name: Update Version Number in Other Files - name: Update Version Number in Other Files
uses: jacobtomlinson/gha-find-replace@v3 uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # v3
with: with:
find: ${{ steps.dependabot-metadata.outputs.previous-version }} find: ${{ steps.dependabot-metadata.outputs.previous-version }}
replace: ${{ steps.dependabot-metadata.outputs.new-version }} replace: ${{ steps.dependabot-metadata.outputs.new-version }}
@ -31,7 +32,7 @@ jobs:
exclude: CHANGES.rst exclude: CHANGES.rst
- name: Commit & Push Changes to PR - name: Commit & Push Changes to PR
uses: EndBug/add-and-commit@v9.1.4 uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
with: with:
message: 'Update version number in other files' message: 'Update version number in other files'
committer_name: GitHub Actions committer_name: GitHub Actions

6
.github/workflows/docs-linkcheck.yml vendored
View file

@ -17,9 +17,11 @@ jobs:
os: [ubuntu-latest] os: [ubuntu-latest]
fail-fast: False fail-fast: False
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- name: Install dependencies - name: Install dependencies

8
.github/workflows/docs.yml vendored
View file

@ -18,9 +18,11 @@ jobs:
os: [ubuntu-latest] os: [ubuntu-latest]
fail-fast: False fail-fast: False
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
cache: 'pip' cache: 'pip'
@ -34,7 +36,7 @@ jobs:
- name: Build docs - name: Build docs
run: sphinx-build docs/source docs/build/html -W --keep-going -j auto run: sphinx-build docs/source docs/build/html -W --keep-going -j auto
- name: Upload docs - name: Upload docs
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: HTML Docs name: HTML Docs
retention-days: 7 retention-days: 7

31
.github/workflows/gha_security.yml vendored Normal file
View file

@ -0,0 +1,31 @@
name: GitHub Actions Security Analysis
on:
push:
branches:
- master
pull_request:
jobs:
zizmor:
name: Security Analysis with zizmor
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
- name: Run zizmor
run: uvx zizmor --persona=pedantic --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: results.sarif
category: zizmor

2
.github/workflows/labelling.yml vendored
View file

@ -11,7 +11,7 @@ jobs:
pull-requests: write # for srvaroa/labeler to add labels in PR pull-requests: write # for srvaroa/labeler to add labels in PR
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: srvaroa/labeler@v1.12.0 - uses: srvaroa/labeler@fe4b1c73bb8abf2f14a44a6912a8b4fee835d631 # v1.12.0
# Config file at .github/labeler.yml # Config file at .github/labeler.yml
env: env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

2
.github/workflows/lock.yml vendored
View file

@ -8,7 +8,7 @@ jobs:
lock: lock:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: dessant/lock-threads@v5.0.1 - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
with: with:
github-token: ${{ github.token }} github-token: ${{ github.token }}
issue-inactive-days: '7' issue-inactive-days: '7'

24
.github/workflows/release_pypi.yml vendored
View file

@ -12,9 +12,11 @@ jobs:
TAG: ${{ steps.get_tag.outputs.TAG }} TAG: ${{ steps.get_tag.outputs.TAG }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Install pypa/build - name: Install pypa/build
@ -23,7 +25,7 @@ jobs:
- name: Build a binary wheel and a source tarball - name: Build a binary wheel and a source tarball
run: python3 -m build run: python3 -m build
- name: Store the distribution packages - name: Store the distribution packages
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
@ -47,12 +49,12 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
- name: Publish to PyPI - name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1 uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
compute-signatures: compute-signatures:
name: Compute SHA1 Sums and Sign with Sigstore name: Compute SHA1 Sums and Sign with Sigstore
@ -65,7 +67,7 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
@ -77,13 +79,13 @@ jobs:
sha1sum $file > $file.sha1 sha1sum $file > $file.sha1
done done
- name: Sign the dists with Sigstore - name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v3.0.0 uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with: with:
inputs: >- inputs: >-
./dist/*.tar.gz ./dist/*.tar.gz
./dist/*.whl ./dist/*.whl
- name: Store the distribution packages and signatures - name: Store the distribution packages and signatures
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: python-package-distributions-and-signatures name: python-package-distributions-and-signatures
path: dist/ path: dist/
@ -101,7 +103,7 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions-and-signatures name: python-package-distributions-and-signatures
path: dist/ path: dist/
@ -113,7 +115,7 @@ jobs:
# we don't define it through this workflow. # we don't define it through this workflow.
run: >- run: >-
gh release create gh release create
'${{ env.TAG }}' "$TAG"
--repo '${{ github.repository }}' --repo '${{ github.repository }}'
--generate-notes --generate-notes
- name: Upload artifact signatures to GitHub Release - name: Upload artifact signatures to GitHub Release
@ -125,5 +127,5 @@ jobs:
# sigstore-produced signatures and certificates. # sigstore-produced signatures and certificates.
run: >- run: >-
gh release upload gh release upload
'${{ env.TAG }}' dist/** "$TAG" dist/**
--repo '${{ github.repository }}' --repo '${{ github.repository }}'

24
.github/workflows/release_test_pypi.yml vendored
View file

@ -12,9 +12,11 @@ jobs:
TAG: ${{ steps.get_tag.outputs.TAG }} TAG: ${{ steps.get_tag.outputs.TAG }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: "3.x" python-version: "3.x"
- name: Install pypa/build - name: Install pypa/build
@ -23,7 +25,7 @@ jobs:
- name: Build a binary wheel and a source tarball - name: Build a binary wheel and a source tarball
run: python3 -m build run: python3 -m build
- name: Store the distribution packages - name: Store the distribution packages
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
@ -47,12 +49,12 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
- name: Publish to Test PyPI - name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1 uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
with: with:
repository-url: https://test.pypi.org/legacy/ repository-url: https://test.pypi.org/legacy/
@ -67,7 +69,7 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions name: python-package-distributions
path: dist/ path: dist/
@ -79,13 +81,13 @@ jobs:
sha1sum $file > $file.sha1 sha1sum $file > $file.sha1
done done
- name: Sign the dists with Sigstore - name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v3.0.0 uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with: with:
inputs: >- inputs: >-
./dist/*.tar.gz ./dist/*.tar.gz
./dist/*.whl ./dist/*.whl
- name: Store the distribution packages and signatures - name: Store the distribution packages and signatures
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: python-package-distributions-and-signatures name: python-package-distributions-and-signatures
path: dist/ path: dist/
@ -103,7 +105,7 @@ jobs:
steps: steps:
- name: Download all the dists - name: Download all the dists
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
name: python-package-distributions-and-signatures name: python-package-distributions-and-signatures
path: dist/ path: dist/
@ -115,7 +117,7 @@ jobs:
# we don't define it through this workflow. # we don't define it through this workflow.
run: >- run: >-
gh release create gh release create
'${{ env.TAG }}' "$TAG"
--repo '${{ github.repository }}' --repo '${{ github.repository }}'
--generate-notes --generate-notes
--draft --draft
@ -128,5 +130,5 @@ jobs:
# sigstore-produced signatures and certificates. # sigstore-produced signatures and certificates.
run: >- run: >-
gh release upload gh release upload
'${{ env.TAG }}' dist/** "$TAG" dist/**
--repo '${{ github.repository }}' --repo '${{ github.repository }}'

2
.github/workflows/stale.yml vendored
View file

@ -7,7 +7,7 @@ jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@v9 - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with: with:
# PRs never get stale # PRs never get stale
days-before-stale: 3 days-before-stale: 3

8
.github/workflows/test_official.yml vendored
View file

@ -21,9 +21,11 @@ jobs:
os: [ubuntu-latest] os: [ubuntu-latest]
fail-fast: False fail-fast: False
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- name: Install dependencies - name: Install dependencies
@ -41,7 +43,7 @@ jobs:
- name: Test Summary - name: Test Summary
id: test_summary id: test_summary
uses: test-summary/action@v2.4 uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
if: always() # always run, even if tests fail if: always() # always run, even if tests fail
with: with:
paths: .test_report_official.xml paths: .test_report_official.xml

2
.github/workflows/type_completeness.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
name: test-type-completeness name: test-type-completeness
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: Bibo-Joshi/pyright-type-completeness@1.0.1 - uses: Bibo-Joshi/pyright-type-completeness@c85a67ff3c66f51dcbb2d06bfcf4fe83a57d69cc # v1.0.1
with: with:
package-name: telegram package-name: telegram
python-version: 3.12 python-version: 3.12

4
.github/workflows/type_completeness_monthly.yml vendored
View file

@ -9,14 +9,14 @@ jobs:
name: test-type-completeness name: test-type-completeness
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: Bibo-Joshi/pyright-type-completeness@1.0.1 - uses: Bibo-Joshi/pyright-type-completeness@c85a67ff3c66f51dcbb2d06bfcf4fe83a57d69cc # v1.0.1
id: pyright-type-completeness id: pyright-type-completeness
with: with:
package-name: telegram package-name: telegram
python-version: 3.12 python-version: 3.12
pyright-version: ~=1.1.367 pyright-version: ~=1.1.367
- name: Check Output - name: Check Output
uses: jannekem/run-python-script-action@v1 uses: jannekem/run-python-script-action@bbfca66c612a28f3eeca0ae40e1f810265e2ea68 # v1.7
env: env:
TYPE_COMPLETENESS: ${{ steps.pyright-type-completeness.outputs.base-completeness-score }} TYPE_COMPLETENESS: ${{ steps.pyright-type-completeness.outputs.base-completeness-score }}
with: with:

12
.github/workflows/unit_tests.yml vendored
View file

@ -24,9 +24,11 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest] os: [ubuntu-latest, windows-latest, macos-latest]
fail-fast: False fail-fast: False
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
cache: 'pip' cache: 'pip'
@ -79,7 +81,7 @@ jobs:
- name: Test Summary - name: Test Summary
id: test_summary id: test_summary
uses: test-summary/action@v2.4 uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
if: always() # always run, even if tests fail if: always() # always run, even if tests fail
with: with:
paths: | paths: |
@ -87,14 +89,14 @@ jobs:
.test_report_optionals_junit.xml .test_report_optionals_junit.xml
- name: Submit coverage - name: Submit coverage
uses: codecov/codecov-action@v5 uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with: with:
env_vars: OS,PYTHON env_vars: OS,PYTHON
name: ${{ matrix.os }}-${{ matrix.python-version }} name: ${{ matrix.os }}-${{ matrix.python-version }}
fail_ci_if_error: true fail_ci_if_error: true
token: ${{ secrets.CODECOV_TOKEN }} token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload test results to Codecov - name: Upload test results to Codecov
uses: codecov/test-results-action@v1 uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1
if: ${{ !cancelled() }} if: ${{ !cancelled() }}
with: with:
files: .test_report_no_optionals_junit.xml,.test_report_optionals_junit.xml files: .test_report_no_optionals_junit.xml,.test_report_optionals_junit.xml