⚠️ CONFLICT! Lineage pull request for: skeleton#57
Draft
cisagovbot wants to merge 667 commits into
Draft
Conversation
cisagovbot
added
the
upstream update
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| .decode("utf-8") | ||
| .strip() | ||
| ) | ||
| logging.info('Secret="%s"', secret_message) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this without changing core functionality, keep reading secret_message if needed for program behavior, but do not emit its plaintext in logs. Replace the sensitive log entry with a safe, non-revealing message (for example, indicating only that secret data was loaded). This preserves control flow and avoids leaking sensitive content.
In src/example/example.py, update the logging statement at line 101:
- Replace
logging.info('Secret="%s"', secret_message)with a constant message that does not includesecret_message.
No new imports, methods, or dependencies are required.
Suggested changeset
1
src/example/example.py
| @@ -98,7 +98,7 @@ | ||
| secret_message: str = ( | ||
| files(__package__).joinpath("data", "secret.txt").read_text().strip() | ||
| ) | ||
| logging.info('Secret="%s"', secret_message) | ||
| logging.info("Secret loaded from package data.") | ||
|
|
||
| # Stop logging and clean up | ||
| logging.shutdown() |
Copilot is powered by AI and may make mistakes. Always verify output.
This gets rid of some errors from the yamllint pre-commit hook.
The version file is not a simple text file that only contains the version in this case.
This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details.
Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com>
…monitoring Disable GitHub permissions monitoring everywhere
This functionality is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory.
Version 25.4.0 is the first version to support Fedora 42 in the Ansible YAML metadata schema.
Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com>
The latter is deprecated and is not included in the most recent version of types-setuptools. This leads to an error from the mypy pre-commit hook.
This is necessary for the secret_message line using importlib to correctly work with Python 3.9. See here for more details: https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support Co-authored-by: felddy <felddy@github.com>
⚠️ CONFLICT! Lineage pull request for: skeleton
…/skeleton # Conflicts: # .github/lineage.yml # bump_version.sh
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Instead of installing coveralls and running it we will use the Coveralls GitHub action to upload test coverage reports.
…_action Use the `coveralls/github-action` action
…sible-lint Upgrade to the latest version of the `ansible-lint` `pre-commit` hook
This adds a `ci` block to the pre-commit configurations to control the behavior of the pre-commit.ci GitHub app.
We currently use the `develop` branch as our reference for the cisagov/setup-env-github-action action in the build workflow. We will instead use the major version tag which puts our usage of this action in line with how we use other actions in our workflows.
Attribute the error codes we are ignoring to the correct source package. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This extends our usage of the antonbabenko/pre-commit-terraform hook collection. This new hook will automatically ensure that a Terraform lock file includes hashes for all of our supported platforms.
We have to ignore this vulnerability for now since an update for pygments has not yet been released. In any event, this vulnerability is unlikely to cause us any problems since we don't feed any regexes to pygments directly. See also: - cisagov/skeleton-generic#257 - https://nvd.nist.gov/vuln/detail/CVE-2026-4539 - pygments/pygments#3058 Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com>
Ignore a vulnerability originating from `pygments`
…orp/setup-terraform-4 Bump hashicorp/setup-terraform from 3 to 4
…max/ghaction-github-labeler-6 Bump crazy-max/ghaction-github-labeler from 5 to 6
This is done automatically with the pre-commit autoupdate command.
Newer versions of the hook require Python 3.14, but we are still using Python 3.13 in our GitHub Actions configuration.
Install the `go-critic` command instead of `gocritic` in the `build.yml` workflow
…uration Add additional plugins to the `flake8` pre-commit configuration
…to_lock_terraform_providers Add a pre-commit hook to lock Terraform providers automatically
Update `pre-commit` hook versions
…uration_file Remove the bandit configuration file
⚠️ CONFLICT! Lineage pull request for: skeleton
These actions often need to be upgraded in lockstep, so it makes sense to group them.
…ated-actions Group the upload-artifact and download-artifact actions
We no longer have a bandit configuration file so the bandit pre-commit hook for tests needs its comment updated.
Adjust the header comment for the `bandit (tests tree)` pre-commit hook
Bumps the upload-download-artifact group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/upload-artifact` from 6 to 7 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v6...v7) Updates `actions/download-artifact` from 7 to 8 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: upload-download-artifact - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major dependency-group: upload-download-artifact ... Signed-off-by: dependabot[bot] <support@github.com>
…-download-artifact-985357984d Bump the upload-download-artifact group with 2 updates
Remove the dependency on the `lint` job from the `build` job. Since we do not depend on the success of the `lint` job to test the source code I don't see a reason we need to depend on it to (try to) build a wheel as long as the `diagnostics` job completes successfully). Also remove the dependency on the `test` job from the `build` job and add it to the `test-build` job. This will allow us to attempt to build wheels for the project even if source code testing has not (yet) passed, but will not bother testing the built wheel unless source code testing has passed.
Adjust the names of several jobs to more clearly align with their descriptive names and functionality. Any dependencies are also updated to use the new names.
Adjust job configurations in the `build` workflow
This is so that descendant repos can uncomment these for Python dependencies such as setuptools that are really inherited from the Lineage parent repo.
Co-authored-by: dav3r <david.redmin@gwe.cisa.dhs.gov>
Add (commented-out) Dependabot ignore directives for Python dependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lineage Pull Request: CONFLICT
Lineage has created this pull request to incorporate new changes found in an
upstream repository:
Upstream repository:
https://github.com/cisagov/skeleton-python-library.gitRemote branch:
HEADCheck the changes in this pull request to ensure they won't cause issues with
your project.
The
lineage/skeletonbranch has one or more unresolved merge conflictsthat you must resolve before merging this pull request!
How to resolve the conflicts
Take ownership of this pull request by removing any other assignees.
Clone the repository locally, and reapply the merge:
Review the changes displayed by the
statuscommand. Fix any conflicts andpossibly incorrect auto-merges.
After resolving each of the conflicts,
addyour changes to thebranch,
commit, andpushyour changes:Note that you may append to the default merge commit message
that git creates for you, but please do not delete the existing
content. It provides useful information about the merge that is
being performed.
Wait for all the automated tests to pass.
Check the "Everything is cool" checkbox below:
Mark this draft pull request "Ready for review".
Note: You are seeing this because one of this repository's maintainers has
configured Lineage to open pull requests.
For more information:
🛠 Lineage configurations for this project are stored in
.github/lineage.yml📚 Read more about Lineage