andrewmusselman opened a new issue, #589:
URL: https://github.com/apache/tooling-trusted-releases/issues/589
Example found by audit:
```
# atr/db/interaction.py lines 185-213
async def trusted_jwt_for_dist(
publisher: str, jwt: str, asf_uid: str, phase: TrustedProjectPhase,
project_name: str, version_name: str
) -> tuple[dict[str, Any], str, sql.Project, sql.Release]:
payload, _asf_uid = await validate_trusted_jwt(publisher, jwt) #
_asf_uid is IGNORED
# ...
return payload, asf_uid, project, release # Returns user-provided
asf_uid, not JWT-validated one
```
This was not caught by `F841` in the `F` category for `pyflakes` which we do
have set in `tool.ruff.lint`, because the leading `_` indicates "intentionally
unused variable". But in this case this would have been good for the linter to
complain about it.
Might be overkill to instrument this but worth a discussion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
