This is an automated email from the ASF dual-hosted git repository.
tomaz pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/libcloud.git
commit 21f6883472df778d022fd9ffe34c442d18fa52be
Author: Tomaz Muraus <to...@tomaz.me>
AuthorDate: Mon Jul 31 12:24:30 2023 +0200
Squashed '.github/actions/gh-action-pip-audit/' changes from
9075e938d..d499194be
d499194be README: prep 1.0.8
cf52d21d8 Remove pin on requests (fixes #41) (#42)
3ac8fed01 README: prep 1.0.7 (#40)
f7e969538 requirements: constrain requests below 2.30 (#39)
28aa5e1be New issue templates (#37)
1abec09c8 action: replace `internal-be-careful-debug` (#36)
75edeacda README: prep 1.0.6 (#34)
666b1b883 Check that output file exists before opening (#33)
git-subtree-dir: .github/actions/gh-action-pip-audit
git-subtree-split: d499194be74aeb3bc7dbed3a224a87e1831132c7
---
.github/ISSUE_TEMPLATE/bug_report.yml | 64 +++++++++++++++++++++++++++
.github/ISSUE_TEMPLATE/config.yml | 11 +++++
.github/ISSUE_TEMPLATE/feature_request.yml | 50 ++++++++++++++++++++++
.github/workflows/selftest.yml | 18 ++++++++
README.md | 69 +++++++++++++++---------------
action.py | 24 ++++++-----
action.yml | 8 ++--
requirements.txt | 2 +-
test/empty.txt | 0
9 files changed, 197 insertions(+), 49 deletions(-)
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml
b/.github/ISSUE_TEMPLATE/bug_report.yml
new file mode 100644
index 000000000..f931fc5ed
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,64 @@
+name: Bug report
+description: Report a bug with pip-audit's GitHub Action
+labels: bug
+body:
+ - type: markdown
+ attributes:
+ value: >-
+ Thank you for reporting a potential bug in `gh-action-pip-audit`!
Please
+ read the following carefully:
+
+
+ **IMPORTANT:** This issue tracker is for `pip-audit`'s
+ **GitHub Action**, the scaffolding that integrates `pip-audit` with
your
+ CI. If the buggy behavior you are experiencing appears to be in
+ `pip-audit`, please file an issue
+ [against the `pip-audit`
repo](https://github.com/pypa/pip-audit/issues/new/choose).
+
+
+ **IMPORTANT:** Please fill out every section below. Bug reports with
+ missing information will be given a lower priority or closed outright.
+
+
+ Before filing an issue, check out our
+ [troubleshooting
guide](https://github.com/pypa/gh-action-pip-audit#troubleshooting) :)
+ - type: textarea
+ id: current-behavior
+ attributes:
+ label: Current behavior
+ description: >-
+ What issue are you having with the action? What were you trying to do
+ when the issue occurred?
+ placeholder: The action run succeeds when I ...
+ validations:
+ required: true
+ - type: textarea
+ id: expected-behavior
+ attributes:
+ label: Expected behavior
+ description: What should've happened instead?
+ placeholder: I expected the action run to fail.
+ validations:
+ required: true
+ - type: textarea
+ id: repro
+ attributes:
+ label: Steps to reproduce
+ description: What are the detailed steps we can follow to trigger this
issue?
+ placeholder: |-
+ 1. ...
+ 2. ...
+ 3. ...
+ validations:
+ required: true
+ - type: textarea
+ id: context
+ attributes:
+ label: Relevant context
+ description: >-
+ Please include a link to an action run, as well as any logs that you
think might
+ be helpful! You can
+ [follow these
instructions](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow)
+ to re-run the action with debug logging.
+ validations:
+ required: true
diff --git a/.github/ISSUE_TEMPLATE/config.yml
b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000..ff27519a1
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+ - name: pip-audit's issue tracker
+ url: https://github.com/pypa/pip-audit/issues/new/choose
+ about: >-
+ You may want to file a report on pip-audit instead if your issue is not
+ directly related to this GitHub Action
+ - name: Troubleshooting guide
+ url: https://github.com/pypa/gh-action-pip-audit#troubleshooting
+ about: >-
+ Learn how to fix some common issues or enable debug logging here
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml
b/.github/ISSUE_TEMPLATE/feature_request.yml
new file mode 100644
index 000000000..c83f9139a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,50 @@
+name: Feature request
+description: Suggest an idea for pip-audit's GitHub Action
+labels: enhancement
+body:
+ - type: markdown
+ attributes:
+ value: >-
+ Thank you for filing a feature request for `gh-action-pip-audit`!
Please
+ read the following carefully:
+
+
+ **IMPORTANT:** This form is for `pip-audit`'s **GitHub Action**, the
+ scaffolding that integrates `pip-audit` with your CI. If you would like
+ a new feature in `pip-audit` itself, please go to
+ [the `pip-audit`
repo](https://github.com/pypa/pip-audit/issues/new/choose).
+
+
+ **IMPORTANT:** Please fill out every required section below to the best
+ of your ability. Feature requests with missing information may be given
+ a lower priority or closed outright.
+ - type: textarea
+ id: problem
+ attributes:
+ label: Is your feature request related to a problem?
+ description: Describe how the current solution is deficient.
+ placeholder: I am frustrated when ...
+ validations:
+ required: true
+ - type: textarea
+ id: solution
+ attributes:
+ label: Describe the solution you'd like
+ description:
+ placeholder: I think gh-action-pip-audit would benefit from ...
+ validations:
+ required: true
+ - type: textarea
+ id: alternatives-considered
+ attributes:
+ label: Alternative solutions or features you've considered
+ description:
+ placeholder:
+ validations:
+ required: true
+ - type: textarea
+ id: context
+ attributes:
+ label: Additional context
+ description: Add any context or screenshots related to the feature
request.
+ placeholder:
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
index 864028402..261a198d2 100644
--- a/.github/workflows/selftest.yml
+++ b/.github/workflows/selftest.yml
@@ -88,3 +88,21 @@ jobs:
PIP_AUDIT_OUTPUT: "${{
steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<<
"${PIP_AUDIT_OUTPUT}")
+ selftest-pipaudit-fail:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - uses: ./
+ id: pip-audit
+ with:
+ # we do not care about pip-audit's actual output in this test, we
just need a file to pass
+ # in so as to not exercise `pip list` mode.
+ inputs: ./test/empty.txt
+ # pass in a fake flag here to reliably trigger the failure we're
looking for.
+ internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+ internal-be-careful-allow-failure: true
+ - name: assert expected output
+ env:
+ PIP_AUDIT_OUTPUT: "${{
steps.pip-audit.outputs.internal-be-careful-output }}"
+ run: |
+ grep 'pip-audit did not return any output' <<< $(base64 -d <<<
"${PIP_AUDIT_OUTPUT}")
diff --git a/README.md b/README.md
index c7f790d3b..ff434acf5 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ jobs:
- uses: actions/checkout@v3
- name: install
run: python -m pip install .
- - uses: pypa/gh-action-pip-audit@v1.0.5
+ - uses: pypa/gh-action-pip-audit@v1.0.8
```
Or, with a virtual environment:
@@ -48,7 +48,7 @@ jobs:
python -m venv env/
source env/bin/activate
python -m pip install .
- - uses: pypa/gh-action-pip-audit@v1.0.5
+ - uses: pypa/gh-action-pip-audit@v1.0.8
with:
virtual-environment: env/
```
@@ -72,7 +72,7 @@ The `inputs` setting controls what sources `pip-audit` runs
on.
To audit one or more requirements-style inputs:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txt dev-requirements.txt
```
@@ -80,7 +80,7 @@ To audit one or more requirements-style inputs:
To audit a project that uses `pyproject.toml` for its dependencies:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
# NOTE: this can be `.`, for the current directory
inputs: path/to/project/
@@ -108,7 +108,7 @@ Example: use the virtual environment specified at `env/`,
relative to the
current directory:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
virtual-environment: env/
# Note the absence of `input:`, since we're auditing the environment.
@@ -128,7 +128,7 @@ installed directly into the current environment are
included.
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
local: true
```
@@ -145,7 +145,7 @@ It's directly equivalent to `pip-audit
--vulnerability-service=...`.
To audit with OSV instead of PyPI:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
vulnerability-service: osv
```
@@ -160,7 +160,7 @@ It's directly equivalent to `pip-audit --require-hashes
...`.
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
# NOTE: only works with requirements-style inputs
inputs: requirements.txt
@@ -177,7 +177,7 @@ It's directly equivalent to `pip-audit --no-deps ...`.
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
# NOTE: only works with requirements-style inputs
inputs: requirements.txt
@@ -195,7 +195,7 @@ is rendered at the end of the action.
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
summary: false
```
@@ -214,7 +214,7 @@ indices to search (such as a corporate index with private
packages), see
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
index-url: https://example.corporate.local/simple
```
@@ -229,7 +229,7 @@ indexes to search when resolving dependencies. Each URL is
whitespace-separated.
Example:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
extra-index-urls: |
https://example.corporate.local/simple
@@ -246,7 +246,7 @@ ignore (i.e., exclude from the results) if present. Each ID
is whitespace-separa
Example
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
ignore-vulns: |
GHSA-XXXX-YYYYYY
@@ -276,29 +276,24 @@ Example
Example:
```yaml
- - uses: pypa/gh-action-pip-audit@v1.0.5
+ - uses: pypa/gh-action-pip-audit@v1.0.8
with:
internal-be-careful-allow-failure: true
```
- #### `internal-be-careful-debug`
+#### `internal-be-careful-extra-flags`
+**Default**: `""`
- **Default**: `false`
-
- The `internal-be-careful-debug` setting enables additional debug logs,
- both within `pip-audit` itself and the action's harness code. You can
- use it to debug troublesome configurations.
+The `internal-be-careful-extra-flags` setting passes the specified flags
+to `pip-audit`.
- Be mindful that `pip-audit`'s own debug logs contain HTTP requests,
- which may or may not be sensitive in your use case.
-
- Example:
+Example:
- ```yaml
- - uses: pypa/gh-action-pip-audit@v1.0.5
- with:
- internal-be-careful-debug: true
- ```
+```yaml
+- uses: pypa/gh-action-pip-audit@v1.0.8
+ with:
+ internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+```
</details>
@@ -312,7 +307,7 @@ If you're auditing a requirements file, consider setting
`no-deps: true` or
`require-hashes: true`:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txt
require-hashes: true
@@ -321,7 +316,7 @@ If you're auditing a requirements file, consider setting
`no-deps: true` or
or:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txt
no-deps: true
@@ -342,7 +337,7 @@ by the host system itself, or other Python projects that
happen to be installed.
To minimize external dependencies, you can opt into a virtual environment:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
# must be populated earlier in the CI
virtual-environment: env/
@@ -352,13 +347,19 @@ and, more aggressively, specify that only dependencies
marked as "local"
in the virtual environment should be included:
```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.5
+- uses: pypa/gh-action-pip-audit@v1.0.8
with:
# must be populated earlier in the CI
virtual-environment: env/
local: true
```
+### There's an issue with the action and I want to enable debug logging!
+
+The action prints debug information when the `ACTIONS_STEP_DEBUG` secret is set
+to `true``. You should be able to enable this behavior by
+[following these
instructions](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow).
+
## Tips and Tricks
### Running against a pipenv project
@@ -382,7 +383,7 @@ jobs:
run: |
pipx run pipfile-requirements Pipfile.lock > requirements.txt
- - uses: pypa/gh-action-pip-audit@v1.0.5
+ - uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txt
```
diff --git a/action.py b/action.py
index 75d8d7ffc..dd624adbd 100755
--- a/action.py
+++ b/action.py
@@ -18,7 +18,7 @@ _TEMPLATES = _HERE / "templates"
_GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a")
_GITHUB_OUTPUT = Path(os.getenv("GITHUB_OUTPUT")).open("a")
_RENDER_SUMMARY = os.getenv("GHA_PIP_AUDIT_SUMMARY", "true") == "true"
-_DEBUG = os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG", "false") !=
"false"
+_DEBUG = os.getenv("RUNNER_DEBUG") is not None
def _template(name):
@@ -33,7 +33,7 @@ def _summary(msg):
def _debug(msg):
if _DEBUG:
- print(f"\033[93mDEBUG: {msg}\033[0m", file=sys.stderr)
+ print(f"::debug::{msg}")
def _log(msg):
@@ -64,7 +64,7 @@ pip_audit_args = [
"--desc",
# Write the output to this logfile, which we'll turn into the step summary
(if configured).
"--output=/tmp/pip-audit-output.txt",
-]
+] + os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS").split()
if _DEBUG:
pip_audit_args.append("--verbose")
@@ -135,15 +135,19 @@ if status.returncode == 0:
else:
_summary("❌ pip-audit found one or more problems")
- with open("/tmp/pip-audit-output.txt", "r") as io:
- output = io.read()
+ output = "⚠️ pip-audit did not return any output"
+ try:
+ with open("/tmp/pip-audit-output.txt", "r") as io:
+ output = io.read()
+ except OSError as ex:
+ _log(ex)
- # This is really nasty: our output contains multiple lines,
- # so we can't naively stuff it into an output.
- print(f"output={b64encode(output.encode()).decode()}",
file=_GITHUB_OUTPUT)
+ # This is really nasty: our output contains multiple lines,
+ # so we can't naively stuff it into an output.
+ print(f"output={b64encode(output.encode()).decode()}", file=_GITHUB_OUTPUT)
- _log(output)
- _summary(output)
+ _log(output)
+ _summary(output)
_log(status.stdout)
diff --git a/action.yml b/action.yml
index 3574e61fa..39e9d3d94 100644
--- a/action.yml
+++ b/action.yml
@@ -46,10 +46,10 @@ inputs:
description: "don't fail the job if the audit fails (default false)"
required: false
default: false
- internal-be-careful-debug:
- description: "run with debug logs (default false)"
+ internal-be-careful-extra-flags:
+ description: "extra flags to be passed in to pip-audit"
required: false
- default: false
+ default: ""
outputs:
internal-be-careful-output:
description: "the column-formatted output from pip-audit, wrapped as
base64"
@@ -83,5 +83,5 @@ runs:
GHA_PIP_AUDIT_EXTRA_INDEX_URLS: "${{ inputs.extra-index-urls }}"
GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}"
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{
inputs.internal-be-careful-allow-failure }}"
- GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: "${{
inputs.internal-be-careful-debug }}"
+ GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{
inputs.internal-be-careful-extra-flags }}"
shell: bash
diff --git a/requirements.txt b/requirements.txt
index 931128f8f..546e8fe02 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1 @@
-pip-audit ~= 2.0, >= 2.4.13
+pip-audit ~= 2.0, >= 2.5.6
diff --git a/test/empty.txt b/test/empty.txt
new file mode 100644
index 000000000..e69de29bb
