Mercurial > p > roundup > code
view .github/workflows/ossf-scorecard.yml @ 7211:506c86823abb
Add config argument to more password.Password invocations.
The work done to allow password_pbkdf2_default_rounds to be overridden
for testing requires that calls to password.Password include a config
argument.
This was needed because using the real value more than quadrupled
testing runtime.
However there are still a few places where config was not being set
when Password was called. I think this fixes all of the ones that are
called from a function that have access to a db.config object.
The remaining ones all call Password(encrypted=x). This results in
Password.unpack() being called. If x is not a propertly formatted
password string ("{scheme}...", it calls encodePassword. It then
should end up raising the ConfigNotSet exception. This is
probably what we want as it means the shape of "x" is not correct.
I don't understand why Password.unpack() attempts to encrypt the value
of encrypted if it doesn't match the right form. According to codecov,
this encryption branch is being used, so somewhere x is of the wrong
form. Hmmm....
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 04 Mar 2023 00:17:26 -0500 |
| parents | 8dc5b3739367 |
| children | a81f3750a14a |
line wrap: on
line source
# This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '25 21 * * 5' push: branches: [ "master" ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, 'no-github-ci')" permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.1.27 with: sarif_file: results.sarif