deps(deps): update cachetools requirement from ^5.0 to ^6.2 #3103
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SAST Lint | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| PYTHON_VERSION: "3.11" | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| jobs: | |
| bandit: | |
| name: Bandit scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: pip | |
| - name: Install Bandit | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install "bandit>=1.7.0" PyYAML | |
| - name: Run Bandit | |
| run: | | |
| bandit -r src -ll -f json -o bandit.json -c bandit.yaml --exit-zero | |
| - name: Convert Bandit JSON to SARIF | |
| run: python tools/bandit_to_sarif.py bandit.json bandit.sarif | |
| - name: Upload Bandit SARIF to GitHub | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: bandit.sarif | |
| category: bandit | |
| - name: Upload Bandit SARIF artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: bandit-sarif | |
| path: bandit.sarif | |
| if-no-files-found: error | |
| semgrep: | |
| name: Semgrep scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: pip | |
| - name: Install Semgrep | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install "semgrep>=1.38.0" PyYAML | |
| - name: Resolve Semgrep configuration | |
| id: semgrep-config | |
| run: | | |
| python - <<'PY' | |
| import os | |
| import pathlib | |
| import yaml | |
| config_path = pathlib.Path(".semgrep.yaml") | |
| args: list[str] = [] | |
| if config_path.exists(): | |
| data = yaml.safe_load(config_path.read_text()) or {} | |
| rules = data.get("exclude", {}).get("rules", []) | |
| for entry in rules: | |
| if isinstance(entry, dict): | |
| rule_id = entry.get("id") | |
| if rule_id: | |
| args.append(f"--exclude-rule={rule_id}") | |
| message = "Resolved Semgrep excludes: " + ("none" if not args else " ".join(args)) | |
| print(message) | |
| with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as fh: | |
| fh.write("exclude_args=" + " ".join(args) + "\n") | |
| PY | |
| - name: Run Semgrep | |
| run: | | |
| semgrep --version | |
| semgrep --config auto src --sarif --output semgrep.sarif --no-error ${{ steps.semgrep-config.outputs.exclude_args }} | |
| - name: Upload Semgrep SARIF to GitHub | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: semgrep.sarif | |
| category: semgrep | |
| - name: Upload Semgrep SARIF artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: semgrep-sarif | |
| path: semgrep.sarif | |
| if-no-files-found: error |