[Hermes] Remove npm-publish.yml and harden CI workflow security#19
Closed
Coding-Dev-Tools wants to merge 1 commit into
Closed
[Hermes] Remove npm-publish.yml and harden CI workflow security#19Coding-Dev-Tools wants to merge 1 commit into
Coding-Dev-Tools wants to merge 1 commit into
Conversation
- Remove npm-publish.yml (wrong-language CI workflow for Python repo) - Add persist-credentials: false to all checkout steps - Add top-level permissions: contents: read to ci.yml, test.yml, publish.yml - Update actions/checkout v4->v6 and setup-python v5->v6 in ci.yml - Update actions/checkout v4->v6 in pages.yml
Owner
Author
|
Closing: This repo has a legitimate npm wrapper (package.json + cli.js). The npm-publish.yml workflow should be kept. See configdrift#9 for rationale. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove wrong-language npm-publish.yml CI workflow and harden security across all CI workflow files.
Why this change
What changed
Validation performed
platform win32 -- Python 3.12.10, pytest-9.0.3, pluggy-1.6.0 -- C:\Users\jomie\AppData\Local\Programs\Python\Python312\python.exe
cachedir: .pytest_cache
rootdir: C:\Users\jomie\Documents\Github\deadcode
configfile: pyproject.toml
plugins: anyio-4.13.0, Faker-40.18.0, asyncio-1.3.0, cov-7.1.0, xdist-3.8.0
asyncio: mode=Mode.STRICT, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collecting ... collected 39 items
tests/test_config_and_fixes.py::TestConfig::test_default_config PASSED [ 2%]
tests/test_config_and_fixes.py::TestConfig::test_from_dict PASSED [ 5%]
tests/test_config_and_fixes.py::TestConfig::test_from_dict_partial PASSED [ 7%]
tests/test_config_and_fixes.py::TestConfig::test_load_from_yml PASSED [ 10%]
tests/test_config_and_fixes.py::TestConfig::test_load_missing_yml PASSED [ 12%]
tests/test_config_and_fixes.py::TestConfig::test_load_empty_yml PASSED [ 15%]
tests/test_config_and_fixes.py::TestConfig::test_load_invalid_yml PASSED [ 17%]
tests/test_config_and_fixes.py::TestFailOption::test_fail_exits_1_when_threshold_met PASSED [ 20%]
tests/test_config_and_fixes.py::TestFailOption::test_fail_exits_0_when_below_threshold PASSED [ 23%]
tests/test_config_and_fixes.py::TestFailOption::test_fail_zero_exits_1_on_any_finding PASSED [ 25%]
tests/test_config_and_fixes.py::TestFailOption::test_fail_with_json_output PASSED [ 28%]
tests/test_config_and_fixes.py::TestFailOption::test_fail_from_config PASSED [ 30%]
tests/test_config_and_fixes.py::TestConfigIgnoreMerge::test_config_ignore_used_in_scan PASSED [ 33%]
tests/test_config_and_fixes.py::TestConfigIgnoreMerge::test_cli_ignore_overrides_config PASSED [ 35%]
tests/test_config_and_fixes.py::TestBugFixUnreferencedComponents::test_component_imported_not_reported PASSED [ 38%]
tests/test_config_and_fixes.py::TestBugFixUnreferencedComponents::test_component_not_imported_is_reported PASSED [ 41%]
tests/test_scanner.py::TestScanner::test_scan_finds_unused_exports PASSED [ 43%]
tests/test_scanner.py::TestScanner::test_scan_finds_orphaned_css PASSED [ 46%]
tests/test_scanner.py::TestScanner::test_scan_finds_unreferenced_components PASSED [ 48%]
tests/test_scanner.py::TestScanner::test_scan_finds_dead_routes PASSED [ 51%]
tests/test_scanner.py::TestScanner::test_scan_files_counted PASSED [ 53%]
tests/test_scanner.py::TestScanner::test_empty_project PASSED [ 56%]
tests/test_scanner.py::TestScanner::test_ignore_patterns PASSED [ 58%]
tests/test_scanner.py::TestScanner::test_scan_result_properties PASSED [ 61%]
tests/test_scanner.py::TestExportParsing::test_named_exports PASSED [ 64%]
tests/test_scanner.py::TestExportParsing::test_export_list PASSED [ 66%]
tests/test_scanner.py::TestExportParsing::test_used_exports_not_reported PASSED [ 69%]
tests/test_scanner.py::TestCSSParsing::test_orphaned_css_detection PASSED [ 71%]
tests/test_scanner.py::TestRouteDetection::test_nextjs_app_router_route PASSED [ 74%]
tests/test_scanner.py::TestRouteDetection::test_root_route_not_dead PASSED [ 76%]
tests/test_scanner.py::TestRouteDetection::test_linked_route_not_dead PASSED [ 79%]
tests/test_scanner.py::TestCLIIntegration::test_version PASSED [ 82%]
tests/test_scanner.py::TestCLIIntegration::test_help PASSED [ 84%]
tests/test_scanner.py::TestCLIIntegration::test_scan_command PASSED [ 87%]
tests/test_scanner.py::TestCLIIntegration::test_scan_json_output PASSED [ 89%]
tests/test_scanner.py::TestCLIIntegration::test_scan_category_filter PASSED [ 92%]
tests/test_scanner.py::TestCLIIntegration::test_scan_nonexistent_dir PASSED [ 94%]
tests/test_scanner.py::TestCLIIntegration::test_remove_dry_run PASSED [ 97%]
tests/test_scanner.py::TestCLIIntegration::test_stats_command PASSED [100%]
============================= 39 passed in 0.59s ============================== — 39 passed
Risks/rollback
Follow-ups