GitHub enterprise support, PEP 8 refactor, better logging and file handling #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello @Sammy-Tbeile-okcupid @tinder-rojan,
I would like to propose quite a lot of changes that I believe are justified. Don't hesitate to continue this thread if you want to discuss some points.
Summary
I took a look at your tool a week ago. I needed to audit a lot of repositories from GitHub enterprise organizations. Because of this, I added the ability to change the API URL requested by the tool and provide the GitHub token directly via the command line using the
--endpointand--tokenparameters, respectively. Also resolves #20.I used this opportunity to refactor as best as I could to comply with PEP 8 and PEP 257, which are widely used in Python project. This effectively resolves #16 and eases the installation process. It also allows third party tools like Sphinx to parse the comments.
In connection with this, I used the recommended importlib.resources and tempfile libraries to avoid referencing files in the current directory. This allows the tool to run from anywhere on the system and delegates file handling for better cross-system support. This resolves #17, resolves #13, and resolves #11.
Finally, I needed to debug the application in a few places where the logger object was not available. I standardized the passing of the logger in the first arguments of the class constructors and created a class for some functions you made to enable easy logging.
Details
GitHub enterprise support
The GitHub enterprise API URL will vary depending on the installation. Moreover, the GraphQL and base URL of the API have different endpoints than the regular
https://api.github.com/URL./api/v3and/api/graphqlare used.Refactor
The refactor allows to install the tool as a package with pip and pipx from the GitHub repository like this:
pipx install 'git+ https://github.com/TinderSec/gh-workflow-auditor.git'.File handling
Instead of using an
action.txtfile that is created, handled and deleted by the custom code of the tool, I used the tempfile library. This makes sure the temporary file is correctly handled by the system and makes it easily cross-platform. For the scan configuration I used importlib.resources.Logging
For logging, I used Loguru which is a popular solution that allows for easy and advanced logging options like verbose stack traces, colorful and multi-output logs. It also supports rotation on log files. The logger object is passed as the first argument of every class constructor to standardize the parameters. A decorator could also be considered but I sticked to your implementation.
Misc
exceptstatements should be logged with the error level for example.scan.login the .gitignore.WorkflowAuditorto group bothcontent_analyzerandrisky_trigger_analysismethods to enable easy logging in these functions.