From 5bfc7f124a74965195a12a0584c54947e5f1f170 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Apr 2023 12:02:50 +0000 Subject: [PATCH 01/28] Bump black from 23.1.0 to 23.3.0 Bumps [black](https://github.com/psf/black) from 23.1.0 to 23.3.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.1.0...23.3.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 54 +++++++++++++++++++++++++------------------------- pyproject.toml | 2 +- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/poetry.lock b/poetry.lock index 16ffb18..b4f3884 100644 --- a/poetry.lock +++ b/poetry.lock @@ -48,37 +48,37 @@ pytz = ">=2015.7" [[package]] name = "black" -version = "23.1.0" +version = "23.3.0" description = "The uncompromising code formatter." category = "dev" optional = false python-versions = ">=3.7" files = [ - {file = "black-23.1.0-cp310-cp310-macosx_10_16_arm64.whl", hash = "sha256:b6a92a41ee34b883b359998f0c8e6eb8e99803aa8bf3123bf2b2e6fec505a221"}, - {file = "black-23.1.0-cp310-cp310-macosx_10_16_universal2.whl", hash = "sha256:57c18c5165c1dbe291d5306e53fb3988122890e57bd9b3dcb75f967f13411a26"}, - {file = "black-23.1.0-cp310-cp310-macosx_10_16_x86_64.whl", hash = "sha256:9880d7d419bb7e709b37e28deb5e68a49227713b623c72b2b931028ea65f619b"}, - {file = "black-23.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e6663f91b6feca5d06f2ccd49a10f254f9298cc1f7f49c46e498a0771b507104"}, - {file = "black-23.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:9afd3f493666a0cd8f8df9a0200c6359ac53940cbde049dcb1a7eb6ee2dd7074"}, - {file = "black-23.1.0-cp311-cp311-macosx_10_16_arm64.whl", hash = "sha256:bfffba28dc52a58f04492181392ee380e95262af14ee01d4bc7bb1b1c6ca8d27"}, - {file = "black-23.1.0-cp311-cp311-macosx_10_16_universal2.whl", hash = "sha256:c1c476bc7b7d021321e7d93dc2cbd78ce103b84d5a4cf97ed535fbc0d6660648"}, - {file = "black-23.1.0-cp311-cp311-macosx_10_16_x86_64.whl", hash = "sha256:382998821f58e5c8238d3166c492139573325287820963d2f7de4d518bd76958"}, - {file = "black-23.1.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2bf649fda611c8550ca9d7592b69f0637218c2369b7744694c5e4902873b2f3a"}, - {file = "black-23.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:121ca7f10b4a01fd99951234abdbd97728e1240be89fde18480ffac16503d481"}, - {file = "black-23.1.0-cp37-cp37m-macosx_10_16_x86_64.whl", hash = "sha256:a8471939da5e824b891b25751955be52ee7f8a30a916d570a5ba8e0f2eb2ecad"}, - {file = "black-23.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8178318cb74f98bc571eef19068f6ab5613b3e59d4f47771582f04e175570ed8"}, - {file = "black-23.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:a436e7881d33acaf2536c46a454bb964a50eff59b21b51c6ccf5a40601fbef24"}, - {file = "black-23.1.0-cp38-cp38-macosx_10_16_arm64.whl", hash = "sha256:a59db0a2094d2259c554676403fa2fac3473ccf1354c1c63eccf7ae65aac8ab6"}, - {file = "black-23.1.0-cp38-cp38-macosx_10_16_universal2.whl", hash = "sha256:0052dba51dec07ed029ed61b18183942043e00008ec65d5028814afaab9a22fd"}, - {file = "black-23.1.0-cp38-cp38-macosx_10_16_x86_64.whl", hash = "sha256:49f7b39e30f326a34b5c9a4213213a6b221d7ae9d58ec70df1c4a307cf2a1580"}, - {file = "black-23.1.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:162e37d49e93bd6eb6f1afc3e17a3d23a823042530c37c3c42eeeaf026f38468"}, - {file = "black-23.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:8b70eb40a78dfac24842458476135f9b99ab952dd3f2dab738c1881a9b38b753"}, - {file = "black-23.1.0-cp39-cp39-macosx_10_16_arm64.whl", hash = "sha256:a29650759a6a0944e7cca036674655c2f0f63806ddecc45ed40b7b8aa314b651"}, - {file = "black-23.1.0-cp39-cp39-macosx_10_16_universal2.whl", hash = "sha256:bb460c8561c8c1bec7824ecbc3ce085eb50005883a6203dcfb0122e95797ee06"}, - {file = "black-23.1.0-cp39-cp39-macosx_10_16_x86_64.whl", hash = "sha256:c91dfc2c2a4e50df0026f88d2215e166616e0c80e86004d0003ece0488db2739"}, - {file = "black-23.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2a951cc83ab535d248c89f300eccbd625e80ab880fbcfb5ac8afb5f01a258ac9"}, - {file = "black-23.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:0680d4380db3719ebcfb2613f34e86c8e6d15ffeabcf8ec59355c5e7b85bb555"}, - {file = "black-23.1.0-py3-none-any.whl", hash = "sha256:7a0f701d314cfa0896b9001df70a530eb2472babb76086344e688829efd97d32"}, - {file = "black-23.1.0.tar.gz", hash = "sha256:b0bd97bea8903f5a2ba7219257a44e3f1f9d00073d6cc1add68f0beec69692ac"}, + {file = "black-23.3.0-cp310-cp310-macosx_10_16_arm64.whl", hash = "sha256:0945e13506be58bf7db93ee5853243eb368ace1c08a24c65ce108986eac65915"}, + {file = "black-23.3.0-cp310-cp310-macosx_10_16_universal2.whl", hash = "sha256:67de8d0c209eb5b330cce2469503de11bca4085880d62f1628bd9972cc3366b9"}, + {file = "black-23.3.0-cp310-cp310-macosx_10_16_x86_64.whl", hash = "sha256:7c3eb7cea23904399866c55826b31c1f55bbcd3890ce22ff70466b907b6775c2"}, + {file = "black-23.3.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:32daa9783106c28815d05b724238e30718f34155653d4d6e125dc7daec8e260c"}, + {file = "black-23.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:35d1381d7a22cc5b2be2f72c7dfdae4072a3336060635718cc7e1ede24221d6c"}, + {file = "black-23.3.0-cp311-cp311-macosx_10_16_arm64.whl", hash = "sha256:a8a968125d0a6a404842fa1bf0b349a568634f856aa08ffaff40ae0dfa52e7c6"}, + {file = "black-23.3.0-cp311-cp311-macosx_10_16_universal2.whl", hash = "sha256:c7ab5790333c448903c4b721b59c0d80b11fe5e9803d8703e84dcb8da56fec1b"}, + {file = "black-23.3.0-cp311-cp311-macosx_10_16_x86_64.whl", hash = "sha256:a6f6886c9869d4daae2d1715ce34a19bbc4b95006d20ed785ca00fa03cba312d"}, + {file = "black-23.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6f3c333ea1dd6771b2d3777482429864f8e258899f6ff05826c3a4fcc5ce3f70"}, + {file = "black-23.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:11c410f71b876f961d1de77b9699ad19f939094c3a677323f43d7a29855fe326"}, + {file = "black-23.3.0-cp37-cp37m-macosx_10_16_x86_64.whl", hash = "sha256:1d06691f1eb8de91cd1b322f21e3bfc9efe0c7ca1f0e1eb1db44ea367dff656b"}, + {file = "black-23.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:50cb33cac881766a5cd9913e10ff75b1e8eb71babf4c7104f2e9c52da1fb7de2"}, + {file = "black-23.3.0-cp37-cp37m-win_amd64.whl", hash = "sha256:e114420bf26b90d4b9daa597351337762b63039752bdf72bf361364c1aa05925"}, + {file = "black-23.3.0-cp38-cp38-macosx_10_16_arm64.whl", hash = "sha256:48f9d345675bb7fbc3dd85821b12487e1b9a75242028adad0333ce36ed2a6d27"}, + {file = "black-23.3.0-cp38-cp38-macosx_10_16_universal2.whl", hash = "sha256:714290490c18fb0126baa0fca0a54ee795f7502b44177e1ce7624ba1c00f2331"}, + {file = "black-23.3.0-cp38-cp38-macosx_10_16_x86_64.whl", hash = "sha256:064101748afa12ad2291c2b91c960be28b817c0c7eaa35bec09cc63aa56493c5"}, + {file = "black-23.3.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:562bd3a70495facf56814293149e51aa1be9931567474993c7942ff7d3533961"}, + {file = "black-23.3.0-cp38-cp38-win_amd64.whl", hash = "sha256:e198cf27888ad6f4ff331ca1c48ffc038848ea9f031a3b40ba36aced7e22f2c8"}, + {file = "black-23.3.0-cp39-cp39-macosx_10_16_arm64.whl", hash = "sha256:3238f2aacf827d18d26db07524e44741233ae09a584273aa059066d644ca7b30"}, + {file = "black-23.3.0-cp39-cp39-macosx_10_16_universal2.whl", hash = "sha256:f0bd2f4a58d6666500542b26354978218a9babcdc972722f4bf90779524515f3"}, + {file = "black-23.3.0-cp39-cp39-macosx_10_16_x86_64.whl", hash = "sha256:92c543f6854c28a3c7f39f4d9b7694f9a6eb9d3c5e2ece488c327b6e7ea9b266"}, + {file = "black-23.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a150542a204124ed00683f0db1f5cf1c2aaaa9cc3495b7a3b5976fb136090ab"}, + {file = "black-23.3.0-cp39-cp39-win_amd64.whl", hash = "sha256:6b39abdfb402002b8a7d030ccc85cf5afff64ee90fa4c5aebc531e3ad0175ddb"}, + {file = "black-23.3.0-py3-none-any.whl", hash = "sha256:ec751418022185b0c1bb7d7736e6933d40bbb14c14a0abcf9123d1b159f98dd4"}, + {file = "black-23.3.0.tar.gz", hash = "sha256:1c7b8d606e728a41ea1ccbd7264677e494e87cf630e399262ced92d4a8dac940"}, ] [package.dependencies] @@ -1382,4 +1382,4 @@ gunicorn = ["gunicorn"] [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "6267eb0710adb7ac59ce0edc491733e5a80758a74b041992fd949d5ee6a95fef" +content-hash = "8215c5a741d267aed53f90ea1e0d4a59bdf51b42dca5ae844adc577f3117a13c" diff --git a/pyproject.toml b/pyproject.toml index 55c12b4..cb689c7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -57,7 +57,7 @@ gunicorn = {version = "^20.1.0", optional = true} pytest = "^7.2.1" Flask-Testing = "^0.8.1" requests = "^2.28.2" -black = "^23.1.0" +black = "^23.3.0" pre-commit = "^3.1.0" [tool.poetry.extras] From ab76b9e51f906150253eceb188f0915b4d8feab1 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:11:32 +0200 Subject: [PATCH 02/28] Use trusted provider flow to publish to pypi (start with test) --- .github/workflows/python-publish.yml | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index acc8208..1ba2259 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -4,11 +4,30 @@ on: tags: - "v*.*.*" jobs: - build: + publish: runs-on: ubuntu-latest + permissions: + # IMPORTANT: this permission is mandatory for trusted publishing + id-token: write + steps: - uses: actions/checkout@v2 - - name: Build and publish to pypi - uses: JRubics/poetry-publish@v1.10 + + - uses: actions/setup-python@v4 with: - pypi_token: ${{ secrets.PYPI_TOKEN }} + python-version: '3.8' # use the oldest supported Python version for publishing + + - name: Build Package + run: | + pip install poetry + poetry install + poetry build + + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + + + From ce0f66112ac34ebf0c72c5bbaf6606b5305a3441 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:13:01 +0200 Subject: [PATCH 03/28] =?UTF-8?q?Bump=20version:=204.5.1=20=E2=86=92=204.5?= =?UTF-8?q?.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 2 +- doc/conf.py | 4 ++-- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 32bf360..6b1d1ba 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.5.1 +current_version = 4.5.2 [bumpversion:file:pyproject.toml] diff --git a/doc/conf.py b/doc/conf.py index 89528f9..06d52f9 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -60,9 +60,9 @@ # built documents. # # The short X.Y version. -version = "4.5.1" +version = "4.5.2" # The full version, including alpha/beta/rc tags. -release = "4.5.1" +release = "4.5.2" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/pyproject.toml b/pyproject.toml index cb689c7..7980e69 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "openbrokerapi" -version = "4.5.1" +version = "4.5.2" description = "A python package for the V2 CF Service Broker API and Open Broker API (version 2.13+)" authors = ["Maic Siemering "] license = "MIT" From bf023e4afceeebbf63c540f0d3a6b45509776cd6 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:16:54 +0200 Subject: [PATCH 04/28] Use release environment --- .github/workflows/python-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 1ba2259..1a76d4d 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -6,6 +6,7 @@ on: jobs: publish: runs-on: ubuntu-latest + environment: release permissions: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write From aa8529a763f44c2455272c6b484dd8128a7123cf Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:39:35 +0200 Subject: [PATCH 05/28] Create SECURITY.md --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..eef65a8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| >=4.5.x | :white_check_mark: | +| <4.5 | :x: | + +## Reporting a Vulnerability + +In case of any vulnerability please inform the [project owner maintainer](mailto:openbrokerapi@googlegroups.com) +We will respond with a couple of days. From de5fb05efb0c6c56678c15862cf73db0c7bd3edf Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:59:45 +0200 Subject: [PATCH 06/28] Add OpenSSF Badge --- README.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 6e342c6..63497df 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -|Build Status| |Coverage Status| |Known Vulnerabilities| |PYUP| +|Build Status| |Coverage Status| |Known Vulnerabilities| |PYUP| |OpenSSF Best Practices| Open Broker API =============== @@ -163,8 +163,6 @@ So let us check how you can contribute: - Always add tests for your feature, if you are not familiar with writing tests, ask for help. - Hint: To update your fork with the newest changes, follow `these instructions `_. -[ ~ Dependencies scanned by PyUp.io ~ ] - .. _Github Issues: https://github.com/eruvanos/openbrokerapi/issues .. |Build Status| image:: https://github.com/eruvanos/openbrokerapi/actions/workflows/python-test.yml/badge.svg @@ -175,3 +173,5 @@ So let us check how you can contribute: :target: https://github.com/eruvanos/openbrokerapi/actions/workflows/codeql.yml .. |PYUP| image:: https://pyup.io/repos/github/eruvanos/openbrokerapi/shield.svg :target: https://pyup.io/repos/github/eruvanos/openbrokerapi/ +.. |OpenSSF Best Practices| image:: https://bestpractices.coreinfrastructure.org/projects/7220/badge + :target: https://bestpractices.coreinfrastructure.org/projects/7220/badge)](https://bestpractices.coreinfrastructure.org/projects/7220 From 48312476d1e969123ef22ecc940e08c10d7b5deb Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:17:21 +0200 Subject: [PATCH 07/28] =?UTF-8?q?Bump=20version:=204.5.2=20=E2=86=92=204.5?= =?UTF-8?q?.3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 2 +- doc/conf.py | 4 ++-- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 6b1d1ba..85d9467 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.5.2 +current_version = 4.5.3 [bumpversion:file:pyproject.toml] diff --git a/doc/conf.py b/doc/conf.py index 06d52f9..80f462f 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -60,9 +60,9 @@ # built documents. # # The short X.Y version. -version = "4.5.2" +version = "4.5.3" # The full version, including alpha/beta/rc tags. -release = "4.5.2" +release = "4.5.3" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/pyproject.toml b/pyproject.toml index 7980e69..dda864b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "openbrokerapi" -version = "4.5.2" +version = "4.5.3" description = "A python package for the V2 CF Service Broker API and Open Broker API (version 2.13+)" authors = ["Maic Siemering "] license = "MIT" From c796676571925b13f47c568382d7fcc0140945ee Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 11:19:45 +0200 Subject: [PATCH 08/28] =?UTF-8?q?Bump=20version:=204.5.3=20=E2=86=92=204.5?= =?UTF-8?q?.4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 2 +- doc/conf.py | 4 ++-- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 85d9467..bc0875a 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.5.3 +current_version = 4.5.4 [bumpversion:file:pyproject.toml] diff --git a/doc/conf.py b/doc/conf.py index 80f462f..0e11d33 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -60,9 +60,9 @@ # built documents. # # The short X.Y version. -version = "4.5.3" +version = "4.5.4" # The full version, including alpha/beta/rc tags. -release = "4.5.3" +release = "4.5.4" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/pyproject.toml b/pyproject.toml index dda864b..3a3eb3b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "openbrokerapi" -version = "4.5.3" +version = "4.5.4" description = "A python package for the V2 CF Service Broker API and Open Broker API (version 2.13+)" authors = ["Maic Siemering "] license = "MIT" From 7f4964862fd0c82c9381a787f654619df7020350 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Wed, 26 Apr 2023 12:08:07 +0200 Subject: [PATCH 09/28] Restrict github token in workflows --- .github/workflows/codeql.yml | 3 +++ .github/workflows/python-publish.yml | 4 ++++ .github/workflows/python-test.yml | 3 +++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3e5a1e4..e2afa86 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,9 @@ # name: "CodeQL" +permissions: + contents: read + on: push: branches: [ "main" ] diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 1a76d4d..31fd648 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -3,6 +3,10 @@ on: push: tags: - "v*.*.*" + +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml index a4cdf85..b01e4d0 100644 --- a/.github/workflows/python-test.yml +++ b/.github/workflows/python-test.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: test: From 4f909b469ee37ad132b3fd9af01f7abc47435dee Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 26 Apr 2023 10:10:50 +0000 Subject: [PATCH 10/28] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 6 ++++++ .github/workflows/codeql.yml | 8 ++++---- .github/workflows/python-publish.yml | 6 +++--- .github/workflows/python-test.yml | 4 ++-- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 91abb11..87d353c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,9 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + + + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e2afa86..366f1b2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -45,11 +45,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -64,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -77,6 +77,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 31fd648..993c0b4 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,9 +16,9 @@ jobs: id-token: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: '3.8' # use the oldest supported Python version for publishing @@ -29,7 +29,7 @@ jobs: poetry build - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # release/v1 with: repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml index b01e4d0..beed197 100644 --- a/.github/workflows/python-test.yml +++ b/.github/workflows/python-test.yml @@ -22,9 +22,9 @@ jobs: python-version: ["3.8", "3.9", "3.10", "3.11"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 + uses: actions/setup-python@48e4ac706204bab735867521ba54b3276c883d00 # v3.1.3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies From 1057ef31830dc0a5dbcfaab2f3687a3097927f96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Apr 2023 10:17:21 +0000 Subject: [PATCH 11/28] Bump flask from 2.2.3 to 2.3.1 Bumps [flask](https://github.com/pallets/flask) from 2.2.3 to 2.3.1. - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/2.3.1/CHANGES.rst) - [Commits](https://github.com/pallets/flask/compare/2.2.3...2.3.1) --- updated-dependencies: - dependency-name: flask dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/poetry.lock b/poetry.lock index b4f3884..edae4de 100644 --- a/poetry.lock +++ b/poetry.lock @@ -96,6 +96,18 @@ d = ["aiohttp (>=3.7.4)"] jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] uvloop = ["uvloop (>=0.15.2)"] +[[package]] +name = "blinker" +version = "1.6.2" +description = "Fast, simple object-to-object and broadcast signaling" +category = "main" +optional = false +python-versions = ">=3.7" +files = [ + {file = "blinker-1.6.2-py3-none-any.whl", hash = "sha256:c3d739772abb7bc2860abf5f2ec284223d9ad5c76da018234f6f50d6f31ab1f0"}, + {file = "blinker-1.6.2.tar.gz", hash = "sha256:4afd3de66ef3a9f8067559fb7a1cbe555c17dcbe15971b05d1b625c3e7abe213"}, +] + [[package]] name = "bump2version" version = "1.0.1" @@ -405,23 +417,24 @@ docs = ["furo (>=2022.12.7)", "sphinx (>=5.3)", "sphinx-autodoc-typehints (>=1.1 testing = ["covdefaults (>=2.2.2)", "coverage (>=7.0.1)", "pytest (>=7.2)", "pytest-cov (>=4)", "pytest-timeout (>=2.1)"] [[package]] -name = "Flask" -version = "2.2.3" +name = "flask" +version = "2.3.1" description = "A simple framework for building complex web applications." category = "main" optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "Flask-2.2.3-py3-none-any.whl", hash = "sha256:c0bec9477df1cb867e5a67c9e1ab758de9cb4a3e52dd70681f59fa40a62b3f2d"}, - {file = "Flask-2.2.3.tar.gz", hash = "sha256:7eb373984bf1c770023fce9db164ed0c3353cd0b53f130f4693da0ca756a2e6d"}, + {file = "Flask-2.3.1-py3-none-any.whl", hash = "sha256:8ba2a854608fdd603b67dccd4514a46450132227fb9df40127a8d0c1de8769ec"}, + {file = "Flask-2.3.1.tar.gz", hash = "sha256:a6059db4297106e5a64b3215fa16ae641822c1cb97ecb498573549b2478602cb"}, ] [package.dependencies] -click = ">=8.0" +blinker = ">=1.6.2" +click = ">=8.1.3" importlib-metadata = {version = ">=3.6.0", markers = "python_version < \"3.10\""} -itsdangerous = ">=2.0" -Jinja2 = ">=3.0" -Werkzeug = ">=2.2.2" +itsdangerous = ">=2.1.2" +Jinja2 = ">=3.1.2" +Werkzeug = ">=2.3.0" [package.extras] async = ["asgiref (>=3.2)"] @@ -1268,22 +1281,22 @@ docs = ["furo (>=2022.12.7)", "proselint (>=0.13)", "sphinx (>=6.1.3)", "sphinx- test = ["covdefaults (>=2.2.2)", "coverage (>=7.1)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23)", "pytest (>=7.2.1)", "pytest-env (>=0.8.1)", "pytest-freezegun (>=0.4.2)", "pytest-mock (>=3.10)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)"] [[package]] -name = "Werkzeug" -version = "2.2.3" +name = "werkzeug" +version = "2.3.0" description = "The comprehensive WSGI web application library." category = "main" optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "Werkzeug-2.2.3-py3-none-any.whl", hash = "sha256:56433961bc1f12533306c624f3be5e744389ac61d722175d543e1751285da612"}, - {file = "Werkzeug-2.2.3.tar.gz", hash = "sha256:2e1ccc9417d4da358b9de6f174e3ac094391ea1d4fbef2d667865d819dfd0afe"}, + {file = "Werkzeug-2.3.0-py3-none-any.whl", hash = "sha256:340335057f72974d9281dbaf52c8090a9f9a59ba304ae814bf0656e6559c0020"}, + {file = "Werkzeug-2.3.0.tar.gz", hash = "sha256:3b6b46926d052b8ebca97c4dc73c12e47bdd07d57ab0600c039c3155450227bc"}, ] [package.dependencies] MarkupSafe = ">=2.1.1" [package.extras] -watchdog = ["watchdog"] +watchdog = ["watchdog (>=2.3)"] [[package]] name = "zipp" From ca9f8c21ae6ff60fbaf2b27dc970bd1053185173 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Apr 2023 10:17:01 +0000 Subject: [PATCH 12/28] Bump sphinx from 6.1.3 to 6.2.1 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 6.1.3 to 6.2.1. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v6.1.3...v6.2.1) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/poetry.lock b/poetry.lock index edae4de..6bd7748 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1053,22 +1053,22 @@ files = [ ] [[package]] -name = "Sphinx" -version = "6.1.3" +name = "sphinx" +version = "6.2.1" description = "Python documentation generator" category = "main" optional = true python-versions = ">=3.8" files = [ - {file = "Sphinx-6.1.3.tar.gz", hash = "sha256:0dac3b698538ffef41716cf97ba26c1c7788dba73ce6f150c1ff5b4720786dd2"}, - {file = "sphinx-6.1.3-py3-none-any.whl", hash = "sha256:807d1cb3d6be87eb78a381c3e70ebd8d346b9a25f3753e9947e866b2786865fc"}, + {file = "Sphinx-6.2.1.tar.gz", hash = "sha256:6d56a34697bb749ffa0152feafc4b19836c755d90a7c59b72bc7dfd371b9cc6b"}, + {file = "sphinx-6.2.1-py3-none-any.whl", hash = "sha256:97787ff1fa3256a3eef9eda523a63dbf299f7b47e053cfcf684a1c2a8380c912"}, ] [package.dependencies] alabaster = ">=0.7,<0.8" babel = ">=2.9" colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""} -docutils = ">=0.18,<0.20" +docutils = ">=0.18.1,<0.20" imagesize = ">=1.3" importlib-metadata = {version = ">=4.8", markers = "python_version < \"3.10\""} Jinja2 = ">=3.0" @@ -1086,7 +1086,7 @@ sphinxcontrib-serializinghtml = ">=1.1.5" [package.extras] docs = ["sphinxcontrib-websupport"] lint = ["docutils-stubs", "flake8 (>=3.5.0)", "flake8-simplify", "isort", "mypy (>=0.990)", "ruff", "sphinx-lint", "types-requests"] -test = ["cython", "html5lib", "pytest (>=4.6)"] +test = ["cython", "filelock", "html5lib", "pytest (>=4.6)"] [[package]] name = "sphinx-rtd-theme" From bf6863fb7cd9a91efa38fe4d5273decd91b347b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:02:54 +0000 Subject: [PATCH 13/28] Bump pytest from 7.2.1 to 7.3.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.2.1 to 7.3.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.2.1...7.3.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 30 +++++------------------------- pyproject.toml | 2 +- 2 files changed, 6 insertions(+), 26 deletions(-) diff --git a/poetry.lock b/poetry.lock index 6bd7748..1b862f8 100644 --- a/poetry.lock +++ b/poetry.lock @@ -12,25 +12,6 @@ files = [ {file = "alabaster-0.7.13.tar.gz", hash = "sha256:a27a4a084d5e690e16e01e03ad2b2e552c61a65469419b907243193de1a84ae2"}, ] -[[package]] -name = "attrs" -version = "22.2.0" -description = "Classes Without Boilerplate" -category = "dev" -optional = false -python-versions = ">=3.6" -files = [ - {file = "attrs-22.2.0-py3-none-any.whl", hash = "sha256:29e95c7f6778868dbd49170f98f8818f78f3dc5e0e37c0b1f474e3561b240836"}, - {file = "attrs-22.2.0.tar.gz", hash = "sha256:c9227bfc2f01993c03f68db37d1d15c9690188323c067c641f1a35ca58185f99"}, -] - -[package.extras] -cov = ["attrs[tests]", "coverage-enable-subprocess", "coverage[toml] (>=5.3)"] -dev = ["attrs[docs,tests]"] -docs = ["furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier", "zope.interface"] -tests = ["attrs[tests-no-zope]", "zope.interface"] -tests-no-zope = ["cloudpickle", "cloudpickle", "hypothesis", "hypothesis", "mypy (>=0.971,<0.990)", "mypy (>=0.971,<0.990)", "pympler", "pympler", "pytest (>=4.3.0)", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-mypy-plugins", "pytest-xdist[psutil]", "pytest-xdist[psutil]"] - [[package]] name = "Babel" version = "2.11.0" @@ -917,18 +898,17 @@ plugins = ["importlib-metadata"] [[package]] name = "pytest" -version = "7.2.1" +version = "7.3.1" description = "pytest: simple powerful testing with Python" category = "dev" optional = false python-versions = ">=3.7" files = [ - {file = "pytest-7.2.1-py3-none-any.whl", hash = "sha256:c7c6ca206e93355074ae32f7403e8ea12163b1163c976fee7d4d84027c162be5"}, - {file = "pytest-7.2.1.tar.gz", hash = "sha256:d45e0952f3727241918b8fd0f376f5ff6b301cc0777c6f9a556935c92d8a7d42"}, + {file = "pytest-7.3.1-py3-none-any.whl", hash = "sha256:3799fa815351fea3a5e96ac7e503a96fa51cc9942c3753cda7651b93c1cfa362"}, + {file = "pytest-7.3.1.tar.gz", hash = "sha256:434afafd78b1d78ed0addf160ad2b77a30d35d4bdf8af234fe621919d9ed15e3"}, ] [package.dependencies] -attrs = ">=19.2.0" colorama = {version = "*", markers = "sys_platform == \"win32\""} exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} iniconfig = "*" @@ -937,7 +917,7 @@ pluggy = ">=0.12,<2.0" tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} [package.extras] -testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] +testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] [[package]] name = "pytz" @@ -1395,4 +1375,4 @@ gunicorn = ["gunicorn"] [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "8215c5a741d267aed53f90ea1e0d4a59bdf51b42dca5ae844adc577f3117a13c" +content-hash = "5295dcb2561ec48f9a01b66a12703f7ec0727fba8214bdd1efa24a2239387131" diff --git a/pyproject.toml b/pyproject.toml index 3a3eb3b..d8423df 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -54,7 +54,7 @@ gunicorn = {version = "^20.1.0", optional = true} [tool.poetry.dev-dependencies] -pytest = "^7.2.1" +pytest = "^7.3.1" Flask-Testing = "^0.8.1" requests = "^2.28.2" black = "^23.3.0" From b54623f5696a6fcdc24963bd57d179dbcc2eabbc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Apr 2023 11:29:07 +0000 Subject: [PATCH 14/28] Bump pre-commit from 3.1.0 to 3.2.2 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 3.1.0 to 3.2.2. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v3.1.0...v3.2.2) --- updated-dependencies: - dependency-name: pre-commit dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 8 ++++---- pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/poetry.lock b/poetry.lock index 1b862f8..dec9ba0 100644 --- a/poetry.lock +++ b/poetry.lock @@ -852,14 +852,14 @@ testing = ["pytest", "pytest-benchmark"] [[package]] name = "pre-commit" -version = "3.1.0" +version = "3.2.2" description = "A framework for managing and maintaining multi-language pre-commit hooks." category = "dev" optional = false python-versions = ">=3.8" files = [ - {file = "pre_commit-3.1.0-py2.py3-none-any.whl", hash = "sha256:7001dfcd174540658822b1fd3630ceadf4f41375a5d1844b5c3b3830f227348c"}, - {file = "pre_commit-3.1.0.tar.gz", hash = "sha256:61bd9f1b96d3d1e763f2a9a0f8522aed341646800642ff6803c73fac5781f5b7"}, + {file = "pre_commit-3.2.2-py2.py3-none-any.whl", hash = "sha256:0b4210aea813fe81144e87c5a291f09ea66f199f367fa1df41b55e1d26e1e2b4"}, + {file = "pre_commit-3.2.2.tar.gz", hash = "sha256:5b808fcbda4afbccf6d6633a56663fed35b6c2bc08096fd3d47ce197ac351d9d"}, ] [package.dependencies] @@ -1375,4 +1375,4 @@ gunicorn = ["gunicorn"] [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "5295dcb2561ec48f9a01b66a12703f7ec0727fba8214bdd1efa24a2239387131" +content-hash = "96215cb28bc1074b10bc5df106bf57776d70c13c6c7e49f766f82dd3e3335d41" diff --git a/pyproject.toml b/pyproject.toml index d8423df..e925f62 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -58,7 +58,7 @@ pytest = "^7.3.1" Flask-Testing = "^0.8.1" requests = "^2.28.2" black = "^23.3.0" -pre-commit = "^3.1.0" +pre-commit = "^3.2.2" [tool.poetry.extras] docs = ["sphinx", "sphinx_rtd_theme"] From 60c4829a0b326f74952b30820aeff1e218ced83f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 May 2023 00:35:04 +0000 Subject: [PATCH 15/28] Bump flask from 2.3.1 to 2.3.2 Bumps [flask](https://github.com/pallets/flask) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/flask/compare/2.3.1...2.3.2) --- updated-dependencies: - dependency-name: flask dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- poetry.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/poetry.lock b/poetry.lock index dec9ba0..234ad08 100644 --- a/poetry.lock +++ b/poetry.lock @@ -399,14 +399,14 @@ testing = ["covdefaults (>=2.2.2)", "coverage (>=7.0.1)", "pytest (>=7.2)", "pyt [[package]] name = "flask" -version = "2.3.1" +version = "2.3.2" description = "A simple framework for building complex web applications." category = "main" optional = false python-versions = ">=3.8" files = [ - {file = "Flask-2.3.1-py3-none-any.whl", hash = "sha256:8ba2a854608fdd603b67dccd4514a46450132227fb9df40127a8d0c1de8769ec"}, - {file = "Flask-2.3.1.tar.gz", hash = "sha256:a6059db4297106e5a64b3215fa16ae641822c1cb97ecb498573549b2478602cb"}, + {file = "Flask-2.3.2-py3-none-any.whl", hash = "sha256:77fd4e1249d8c9923de34907236b747ced06e5467ecac1a7bb7115ae0e9670b0"}, + {file = "Flask-2.3.2.tar.gz", hash = "sha256:8c2f9abd47a9e8df7f0c3f091ce9497d011dc3b31effcf4c85a6e2b50f4114ef"}, ] [package.dependencies] @@ -415,7 +415,7 @@ click = ">=8.1.3" importlib-metadata = {version = ">=3.6.0", markers = "python_version < \"3.10\""} itsdangerous = ">=2.1.2" Jinja2 = ">=3.1.2" -Werkzeug = ">=2.3.0" +Werkzeug = ">=2.3.3" [package.extras] async = ["asgiref (>=3.2)"] @@ -1262,14 +1262,14 @@ test = ["covdefaults (>=2.2.2)", "coverage (>=7.1)", "coverage-enable-subprocess [[package]] name = "werkzeug" -version = "2.3.0" +version = "2.3.3" description = "The comprehensive WSGI web application library." category = "main" optional = false python-versions = ">=3.8" files = [ - {file = "Werkzeug-2.3.0-py3-none-any.whl", hash = "sha256:340335057f72974d9281dbaf52c8090a9f9a59ba304ae814bf0656e6559c0020"}, - {file = "Werkzeug-2.3.0.tar.gz", hash = "sha256:3b6b46926d052b8ebca97c4dc73c12e47bdd07d57ab0600c039c3155450227bc"}, + {file = "Werkzeug-2.3.3-py3-none-any.whl", hash = "sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a"}, + {file = "Werkzeug-2.3.3.tar.gz", hash = "sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091"}, ] [package.dependencies] From 0eabde212626b70c7511cfe3445579a0ce572b3b Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 08:53:52 +0200 Subject: [PATCH 16/28] Update Changelog --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3681c10..761be9a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog ============= +**4.5.5** + - Update Flask to 2.3.2: [CVE-2023-30861](https://github.com/advisories/GHSA-m2qf-hxjv-5gpq) + - Update pytest from 7.2.1 to 7.3.1 + - Use trusted provider flow to publish to pypi + +> Releases 4.5.1-4 were used to test the new github workflow and are only pushed to Test-PYPI + **4.5** - Drop Python 3.7 support - Update dependencies From e2868fb3f447f62be6bb292a52701bbc53d4558a Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 08:56:31 +0200 Subject: [PATCH 17/28] Push release to pypi --- .github/workflows/python-publish.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 993c0b4..c1f4a8a 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -28,11 +28,13 @@ jobs: poetry install poetry build - - name: Publish package distributions to PyPI + - name: Publish package distributions to Test-PyPI uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # release/v1 with: repository-url: https://test.pypi.org/legacy/ + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # release/v1 From b6824e674c56b5618be7f3e7651d0446b36a68ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Apr 2023 12:06:13 +0000 Subject: [PATCH 18/28] Bump github/codeql-action from 2.3.0 to 2.3.2 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.0 to 2.3.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b2c19fb9a2a485599ccf4ed5d65527d94bc57226...f3feb00acb00f31a6f60280e6ace9ca31d91c76a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 366f1b2..e0da2a6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,7 +49,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -64,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + uses: github/codeql-action/autobuild@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -77,6 +77,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 + uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 with: category: "/language:${{matrix.language}}" From 8f1802ffe276b44b4ad5f3844492934d3e50cf98 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 09:22:43 +0200 Subject: [PATCH 19/28] Fix typo --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 761be9a..442c48c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,7 +6,7 @@ Changelog - Update pytest from 7.2.1 to 7.3.1 - Use trusted provider flow to publish to pypi -> Releases 4.5.1-4 were used to test the new github workflow and are only pushed to Test-PYPI +> Releases 4.5.1-4 were used to test the new GitHub workflow and are only pushed to Test-PYPI **4.5** - Drop Python 3.7 support From a0abb652afbcf3eac2556b0cd86cebd9fec95972 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 09:23:20 +0200 Subject: [PATCH 20/28] =?UTF-8?q?Bump=20version:=204.5.4=20=E2=86=92=204.5?= =?UTF-8?q?.5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 2 +- doc/conf.py | 4 ++-- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index bc0875a..7c7489f 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.5.4 +current_version = 4.5.5 [bumpversion:file:pyproject.toml] diff --git a/doc/conf.py b/doc/conf.py index 0e11d33..7228eb8 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -60,9 +60,9 @@ # built documents. # # The short X.Y version. -version = "4.5.4" +version = "4.5.5" # The full version, including alpha/beta/rc tags. -release = "4.5.4" +release = "4.5.5" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/pyproject.toml b/pyproject.toml index e925f62..ffacb90 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "openbrokerapi" -version = "4.5.4" +version = "4.5.5" description = "A python package for the V2 CF Service Broker API and Open Broker API (version 2.13+)" authors = ["Maic Siemering "] license = "MIT" From c86201e3eecf77b6552ff983e66423bfd01aa68d Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 14:58:19 +0200 Subject: [PATCH 21/28] Update readthedocs config --- .readthedocs.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index e058894..b9c1459 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -1,5 +1,14 @@ +# Required +version: 2 + +build: + os: "ubuntu-20.04" + tools: + python: "3.8" + python: - version: 3 - pip_install: true - extra_requirements: + install: + - method: pip + path: . + extra_requirements: - docs \ No newline at end of file From 0847093589050b21dc06058533ec637a9258c3af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 May 2023 12:04:57 +0000 Subject: [PATCH 22/28] Bump pypa/gh-action-pypi-publish from 1.8.5 to 1.8.6 Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.8.5 to 1.8.6. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/0bf742be3ebe032c25dd15117957dc15d0cfc38d...a56da0b891b3dc519c7ee3284aff1fad93cc8598) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/python-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index c1f4a8a..1f19439 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -29,12 +29,12 @@ jobs: poetry build - name: Publish package distributions to Test-PyPI - uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # release/v1 + uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598 # release/v1 with: repository-url: https://test.pypi.org/legacy/ - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # release/v1 + uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598 # release/v1 From 8ed4de6878066df6dc631d237720ea4b369db13c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 May 2023 12:05:28 +0000 Subject: [PATCH 23/28] Bump actions/setup-python from 3.1.3 to 4.6.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.1.3 to 4.6.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v3.1.3...57ded4d7d5e986d7296eab16560982c6dd7c923b) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/python-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml index beed197..f66222b 100644 --- a/.github/workflows/python-test.yml +++ b/.github/workflows/python-test.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@48e4ac706204bab735867521ba54b3276c883d00 # v3.1.3 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies From cf61054e92eaedf51c1bc70f98cf946aa64f4fe0 Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 20:10:21 +0200 Subject: [PATCH 24/28] Add project infos to pypi --- pyproject.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index ffacb90..fe16f0b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,6 +44,12 @@ classifiers = [ 'Programming Language :: Python :: 3.11', ] +[project.urls] +homepage = "https://github.com/eruvanos/openbrokerapi" +documentation = "https://openbrokerapi.readthedocs.io/" +repository = "https://github.com/eruvanos/openbrokerapi" +changelog = "https://github.com/eruvanos/openbrokerapi/blob/main/CHANGELOG.rst" + [tool.poetry.dependencies] python = "^3.8" Flask = "^2.2.3" From bd99bff0e5413821740080f21de54a187360562b Mon Sep 17 00:00:00 2001 From: Maic Siemering Date: Tue, 2 May 2023 20:33:18 +0200 Subject: [PATCH 25/28] Use poetry notation --- pyproject.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index fe16f0b..a1e83ec 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,11 +44,11 @@ classifiers = [ 'Programming Language :: Python :: 3.11', ] -[project.urls] -homepage = "https://github.com/eruvanos/openbrokerapi" -documentation = "https://openbrokerapi.readthedocs.io/" -repository = "https://github.com/eruvanos/openbrokerapi" -changelog = "https://github.com/eruvanos/openbrokerapi/blob/main/CHANGELOG.rst" + + +[tool.poetry.urls] +"Issue Tracker" = "https://github.com/eruvanos/openbrokerapi/issues" +"Changelog" = "https://github.com/eruvanos/openbrokerapi/blob/main/CHANGELOG.rst" [tool.poetry.dependencies] python = "^3.8" From cd5d31380d0b53fc6241f843dca23cb3d7dcfa1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 May 2023 12:05:41 +0000 Subject: [PATCH 26/28] Bump github/codeql-action from 2.3.2 to 2.3.3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.2 to 2.3.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f3feb00acb00f31a6f60280e6ace9ca31d91c76a...29b1f65c5e92e24fe6b6647da1eaabe529cec70f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e0da2a6..8d3f071 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,7 +49,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -64,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -77,6 +77,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 with: category: "/language:${{matrix.language}}" From cbb8c74d92b24bf9a8b79b4a22c423a24df21a90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 May 2023 13:36:08 +0000 Subject: [PATCH 27/28] Bump actions/checkout from 2.7.0 to 3.5.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 2.7.0 to 3.5.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2.7.0...8e5e7e5ab8b370d6c329ec480221332ada57f0ab) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 1f19439..b9b4e32 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,7 +16,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: From ae07f4942224832fae2da6dec587b5c62a06954b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 May 2023 12:05:15 +0000 Subject: [PATCH 28/28] Bump requests from 2.28.2 to 2.29.0 Bumps [requests](https://github.com/psf/requests) from 2.28.2 to 2.29.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.28.2...v2.29.0) --- updated-dependencies: - dependency-name: requests dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 10 +++++----- pyproject.toml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/poetry.lock b/poetry.lock index 234ad08..ed641f7 100644 --- a/poetry.lock +++ b/poetry.lock @@ -983,14 +983,14 @@ files = [ [[package]] name = "requests" -version = "2.28.2" +version = "2.29.0" description = "Python HTTP for Humans." category = "main" optional = false -python-versions = ">=3.7, <4" +python-versions = ">=3.7" files = [ - {file = "requests-2.28.2-py3-none-any.whl", hash = "sha256:64299f4909223da747622c030b781c0d7811e359c37124b4bd368fb8c6518baa"}, - {file = "requests-2.28.2.tar.gz", hash = "sha256:98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf"}, + {file = "requests-2.29.0-py3-none-any.whl", hash = "sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b"}, + {file = "requests-2.29.0.tar.gz", hash = "sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059"}, ] [package.dependencies] @@ -1375,4 +1375,4 @@ gunicorn = ["gunicorn"] [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "96215cb28bc1074b10bc5df106bf57776d70c13c6c7e49f766f82dd3e3335d41" +content-hash = "bedde8f1c8fdc0bb06d8feb83dd3f2e04f2641544c436cb6a0160f3d9b9a5773" diff --git a/pyproject.toml b/pyproject.toml index a1e83ec..af9d5c3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -62,7 +62,7 @@ gunicorn = {version = "^20.1.0", optional = true} [tool.poetry.dev-dependencies] pytest = "^7.3.1" Flask-Testing = "^0.8.1" -requests = "^2.28.2" +requests = "^2.29.0" black = "^23.3.0" pre-commit = "^3.2.2"