-
Notifications
You must be signed in to change notification settings - Fork 151
Project name must match PyPi #532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
richdawe-cio
wants to merge
10
commits into
segmentio:master
from
customerio:cdp-6173-fix-project-name
Closed
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
3532665
Fork to Customer.io Data Pipelines
nunofgs b680a47
Release 0.0.1
nunofgs a5c1326
Remove userId requirement from group calls (#1)
nunofgs a57f6bb
Release 0.0.2
nunofgs fa5ca4c
Add release action (#2)
nunofgs 41203ee
Add host docs to README (#3)
nunofgs dccaa90
Release 1.0.0: remove support for Python 3.6, 3.7; fix linting errors…
richdawe-cio 60e2b10
Modernize Python CI and packaging (#7)
richdawe-cio 113745c
Add automated PyPI publish workflow (#8)
richdawe-cio 115e3c2
Project name must match PyPi
richdawe-cio File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| [bumpversion] | ||
| current_version = 1.0.0 | ||
| parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+) | ||
| serialize = | ||
| {major}.{minor}.{patch} |
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Bugbot Review Rules | ||
|
|
||
| ## Core Principle: Comprehensive First-Pass Reviews | ||
|
|
||
| **CRITICAL INSTRUCTION**: You must perform a complete, exhaustive analysis on the FIRST review of any changeset. Do NOT hold back observations or defer issues to later reviews. All feedback must be provided upfront. | ||
|
|
||
| ## Expected Behavior | ||
|
|
||
| Your first review should be comprehensive enough that subsequent reviews only need to address newly changed code. The goal is to eliminate "surprise" feedback on code that was part of the initial changeset but somehow escaped earlier review. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,11 @@ | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: pip | ||
| directory: "/" | ||
| schedule: | ||
| interval: daily | ||
| open-pull-requests-limit: 10 | ||
| reviewers: | ||
| - heitorsampaio | ||
| - package-ecosystem: github-actions | ||
| directory: "/" | ||
| schedule: | ||
| interval: weekly | ||
|
|
||
| - package-ecosystem: pip | ||
| directory: "/" | ||
| schedule: | ||
| interval: weekly |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| name: Build | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| package: | ||
| name: Build distribution | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v7 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.14" | ||
| cache: pip | ||
| cache-dependency-path: pyproject.toml | ||
| - name: Install build tools | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| python -m pip install -e ".[dev]" | ||
| - name: Build and verify package | ||
| run: | | ||
| python -m build | ||
| python -m twine check dist/* |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: Lint | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| lint: | ||
| name: Lint | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v7 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.14" | ||
| cache: 'pip' | ||
| cache-dependency-path: pyproject.toml | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| python -m pip install -e ".[dev]" | ||
| - name: Run lint | ||
| run: make lint-ci |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| name: Publish to PyPI | ||
|
|
||
| on: | ||
| release: | ||
| types: [published] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| publish: | ||
| name: Build and publish | ||
| runs-on: ubuntu-latest | ||
| environment: pypi | ||
| steps: | ||
| - uses: actions/checkout@v7 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.14" | ||
| cache: pip | ||
| cache-dependency-path: pyproject.toml | ||
|
|
||
| - name: Install build tools | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| python -m pip install build | ||
|
|
||
| - name: Build package | ||
| run: python -m build | ||
|
|
||
| - name: Publish to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| name: Test | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| test: | ||
| name: Test Python ${{ matrix.python-version }} | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python-version: [ "3.9", "3.10", "3.11", "3.12", "3.13", "3.14" ] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v7 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| cache: 'pip' | ||
| cache-dependency-path: pyproject.toml | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| python -m pip install -e . | ||
| - name: Run tests | ||
| run: make test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,3 +10,5 @@ build | |
| .vscode/ | ||
| .idea/ | ||
| .python-version | ||
| venv | ||
| .venv | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| [env] | ||
| MISE_FETCH_REMOTE_VERSIONS_TIMEOUT = "30s" | ||
|
|
||
| _.python.venv = { | ||
| path = ".venv", | ||
| create = true, | ||
| } | ||
|
|
||
| [settings] | ||
| python.uv_venv_auto = false | ||
| python.venv_stdlib = true | ||
|
|
||
| [tools] | ||
| python = "3.11" | ||
|
|
||
| [tasks.test] | ||
| run = 'make install test' | ||
|
|
||
| [tasks.lint] | ||
| run = 'make install lint' |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified an issue in your code:
GitHub Actions workflow uses a mutable version tag instead of a pinned commit SHA, allowing action maintainers (or attackers who compromise them) to inject malicious code that runs with your credentials.
More details about this
The workflow uses
pypa/gh-action-pypi-publish@release/v1, which pins the action to a version tag rather than a full commit SHA. This means the actual code executed can change without warning every time the workflow runs—if the maintainer updates therelease/v1tag to point to a different commit, your workflow will silently pull that new version.Here's how an attacker could exploit this:
pypa/gh-action-pypi-publishrepository by gaining access to the maintainer's account or through a supply-chain attack.release/v1tag to point to a malicious commit containing backdoor code that exfiltrates your PyPI credentials stored in thePYPI_API_TOKENenvironment variable.By pinning to a specific commit SHA (e.g.,
@a1d2e3f...), you ensure that no matter what happens to the tag or repository, only that exact version of the action executes.To resolve this comment:
✨ Commit fix suggestion
View step-by-step instructions
@release/v1.uses: pypa/gh-action-pypi-publish@<full-commit-sha> # release/v1.release/v1currently points to. Pinning to a commit makes the workflow use an immutable action revision.💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsAlternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.
Need help with this issue? Consult our appsec team or ask in #help-appsec on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.