Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump actions/setup-python from 5.0.0 to 5.2.0 #9801

Closed
wants to merge 1 commit into from
Closed

chore(deps): bump actions/setup-python from 5.0.0 to 5.2.0 #9801

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 18, 2024

Bumps actions/setup-python from 5.0.0 to 5.2.0.

Release notes

Sourced from actions/setup-python's releases.

v5.2.0

What's Changed

Bug fixes:

  • Add .zip extension to Windows package downloads for Expand-Archive Compatibility by @​priyagupta108 in actions/setup-python#916 This addresses compatibility issues on Windows self-hosted runners by ensuring that the filenames for Python and PyPy package downloads explicitly include the .zip extension, allowing the Expand-Archive command to function correctly.
  • Add arch to cache key by @​Zxilly in actions/setup-python#896 This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format.

Documentation changes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-python@v5...v5.2.0

v5.1.1

What's Changed

Bug fixes:

  • fix(ci): update all failing workflows by @​mayeut in actions/setup-python#863 This update ensures compatibility and optimal performance of workflows on the latest macOS version.

Documentation changes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-python@v5...v5.1.1

v5.1.0

What's Changed

New Contributors

... (truncated)

Commits
  • f677139 Bump pyinstaller from 3.6 to 5.13.1 in /tests/data (#923)
  • 2bd53f9 Documentation update for caching poetry dependencies (#908)
  • 80b49d3 fix: add arch to cache key (#896)
  • 036a523 Fix: Add .zip extension to Windows package downloads for Expand-Archive C...
  • 04c1311 Fix display of emojis in contributors doc (#899)
  • cb68456 Updated @​iarna/toml version to 3.0.0 (#912)
  • 39cd149 Documentation update for cache (#873)
  • a0d74c0 fix(ci): update all failing workflows (#863)
  • 4eb7dbc Bump braces from 3.0.2 to 3.0.3 (#893)
  • 82c7e63 Documentation changes for avoiding rate limit issues on GHES (#835)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump actions/setup-python from 5.0.0 to 5.2.0
abb7dee 
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.0.0 to 5.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@0a5c615...f677139)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from moabu as a code owner October 18, 2024 10:26
@dependabot dependabot bot added github_actions Pull requests that update Github_actions code kind-dependencies Pull requests that update a dependency file labels Oct 18, 2024
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The provided code changes are part of several GitHub Actions workflows for the Janssen Project, covering a range of tasks such as building and publishing Docker images, managing documentation, building and testing packages, linting Python code, and synchronizing changes between repositories, with a focus on improving the reliability, maintainability, and security of the project's build and deployment processes.

Expand for full summary

Summary:

The provided code changes are part of several GitHub Actions workflows for the Janssen Project. The updates cover a range of tasks, including building and publishing Docker images, managing the project's documentation, building and testing packages, linting Python code, and synchronizing changes between repositories.

From an application security perspective, the changes generally do not introduce any obvious security vulnerabilities. The updates are primarily focused on routine maintenance, dependency management, and workflow improvements. However, there are a few security-related aspects that should be considered:

  1. Dependency Management: The workflows install and use a variety of dependencies, including Python libraries and system packages. It's important to ensure that these dependencies are regularly reviewed and updated to address any known security vulnerabilities.

  2. Secrets Management: The workflows use several GitHub secrets, such as API tokens and GPG keys. Proper management and secure storage of these secrets is crucial to prevent unauthorized access or misuse.

  3. Cryptographic Signing: Some workflows use cryptographic signing, such as signing Docker images and Git commits. This is a good security practice that helps ensure the integrity and authenticity of the artifacts.

  4. Runner Hardening: The use of the step-security/harden-runner action to harden the GitHub Actions runner environment is a positive security measure that helps mitigate potential risks associated with the runner.

Overall, the changes in this pull request appear to be focused on improving the reliability, maintainability, and security of the Janssen Project's build and deployment processes. While there are no immediate security concerns, it's important to continue monitoring the dependencies, secrets management, and overall security posture of the project to ensure its ongoing security and integrity.

Files Changed:

  1. .github/workflows/docker_build_image.yml: This workflow is responsible for building and publishing Docker images for the Janssen Project. The changes include a Python version update, build date updates, and the use of the Cosign tool for image signing, which is a positive security practice.

  2. .github/workflows/docs.yml: The changes in this workflow update the version of the actions/setup-python action and include steps for hardening the runner environment and managing secrets.

  3. .github/workflows/build-packages.yml: This workflow is responsible for building and publishing binary and Python packages. The changes include updates to dependencies, cryptographic signing, and the use of caching to improve build times.

  4. .github/workflows/build-docs.yml: The changes in this workflow update the Python version and include steps for managing dependencies, versioning, and artifact management.

  5. .github/workflows/test_docker_linux_installer.yml, .github/workflows/flake8-lint.yml, .github/workflows/label_pr_issues.yml, .github/workflows/testcases.yml, and .github/workflows/sync.yml: These workflow files have been updated to use the latest version of the actions/setup-python action, which is a routine maintenance task.

Code Analysis

We ran 9 analyzers against 9 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 25, 2024

Superseded by #9924.

@dependabot dependabot bot closed this Oct 25, 2024
@dependabot dependabot bot deleted the dependabot/github_actions/actions/setup-python-5.2.0 branch October 25, 2024 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu Awaiting requested review from moabu moabu is a code owner

Assignees
No one assigned
Labels
github_actions Pull requests that update Github_actions code kind-dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants