Fixes, Updates and Automation #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also bind it to concrete v4 release
Development branch.
Added Updates and Automation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
…s/main/github/codeql-action-3
Back port to development
Update README.md with config for fixed version
Updated README.md
Release v2.1
|
Hi. Thanks for the PR. But, I just opened the PR to the upstream, as this one is referenced by the default starter workflow as follows. So, I am still looking for an option to update the upstream rather than creating a separate fork (this fork is intended just for sending patch). |
|
Thank you for the timely response! I appreciate the clarification and reasoning behind your preference to update the upstream. 🤔 I'll look into coordinating with the starter-workflows project. At a glance this does seem to be the right approach. (I mention this as I plan to keep you credited in the README)
🙇 Understood, I shall pester you no more. As I've already mentioned in this PR:
So, Please feel free to close this PR as resolved (unmerged or merged) Hope this helps |
17 tasks
Reduce threshold to low in example to improve default.
# Pull useful improvements from community ## Pull new configuration input feature from related work in community * Incorporate the feature to optionally include a `config_path` input to allow further configuration of `bandit` ## Partial version bumps for action dependancies * Updating to `github/code-action/upload-sarif@v3` presents no significant changes since `v2` besides the underlying node version. Details in [relevant project README](https://github.com/github/codeql-action?tab=readme-ov-file#supported-versions-of-the-codeql-action) * Updating to `actions/upload-artifact@v4` brings significant changes we should be aware of. The maintainers have noted that version 4 introduces breaking changes: * **GitHub Enterprise Server (GHES) Compatibility**: Support for GHES versions prior to 3.5 has been discontinued. If you're using an older GHES version, this update might not be compatible. * **Default Behavior Adjustments**: There may be changes to default configurations, such as the default value for retention-days. Deprecated inputs or features might have been removed as well. For a comprehensive understanding of these impacts and to ensure seamless integration, please review the maintainers' notes in the [upload-artifact project README](https://github.com/actions/upload-artifact#actionsupload-artifact) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Introduced an optional `config_path` parameter for the Bandit Scan action, allowing users to specify a configuration file for command line arguments. - **Improvements** - Updated artifact upload steps to use the latest versions of the actions, enhancing reliability and functionality. - Added an option to overwrite existing artifacts during upload. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…ity features > [!NOTE] > > Due to the backup, upstream with [actions/starter-workflows#2497](actions/starter-workflows#2497) not yet resolved, this PR will include at-least two minor version bumps: > > * [v2.2](637c5c4) @ [637c5c4](637c5c4) > * [v2.3](f8cf05e) @ [f8cf05e](f8cf05e) ---
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi @parroty, you seem to be the only active contributor to
shundor/python-bandit-scanin the last year, I've included your suggested fixes into my own fork, and then automated future updates with dependabot to prevent the action from again becoming out of date in the future. You can find my fork hereI've tested my fork in another project to ensure the auto-updates work as intended and that the warnings are gone from the scans. You can find that testing here (look for the bandit scans 1 was for the push and 1 was for the pull-request)
I've published my changes to the marketplace, this PR is just back-porting them so you and the community can also benefit from the fixes.
I hope this helps