r12habh commented on PR #67766: URL: https://github.com/apache/airflow/pull/67766#issuecomment-4581774681
Tightened the install spec to a version range so this scan auto-picks up future ActionScope bug fixes without needing a PR per release. \`\`\`yaml - python -m pip install "actionscope==0.3.2" + python -m pip install "actionscope>=0.3.3,<1.0" \`\`\` **Why the bump from 0.3.2 to 0.3.3:** Running ActionScope against this repo surfaced a real bug — the previous version silently truncated JSON-policy file discovery at 200 files, which could miss IAM policies in non-standard locations on large monorepos. Airflow has 393 JSON files, so 193 were silently being dropped. **For Airflow specifically this didn't change the scan result** (no in-repo IAM policies → nothing to correlate either way), but it is a real correctness bug that v0.3.3 fixes: - Files in well-known policy directories (\`iam/\`, \`policies/\`, \`.github/\`, \`infra/\`, \`infrastructure/\`, \`terraform/\`) are now always scanned in full, regardless of total count - The cap on "other" JSON files is raised from 200 to 800 and configurable via a new \`--max-policy-files <N>\` CLI flag - Warning is now actionable (names the count of skipped files and the override flag) The bug, the fix, and this PR all originated from the live test against this very repo — credit acknowledged in the [CHANGELOG entry](https://github.com/r12habh/ActionScope/blob/main/CHANGELOG.md#033---2026-05-30). **Why \`<1.0\` not unbounded:** ActionScope follows semver. The ceiling protects against a hypothetical 1.0 breaking change while still picking up 0.3.x and 0.4.x improvements automatically — including new entries in the bundled compromised-actions database, which updates with every release. Release: <https://github.com/r12habh/ActionScope/releases/tag/v0.3.3> PyPI: <https://pypi.org/project/actionscope/0.3.3/> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
