From d8e0cbc4d3079eb581b3eef3628ee436a3e33585 Mon Sep 17 00:00:00 2001 From: jpl-jengelke Date: Thu, 25 May 2023 12:39:26 -0700 Subject: [PATCH 1/5] Issue NASA-AMMOS/slim#55: Integrate Governance documentation with Python starterkit. Modify CONTRIBUTING.MD with latest updates. ... --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- CONTRIBUTING.md | 50 ++++++------ GOVERNANCE.md | 131 +++++++++++++++++++++++++++++++ README.md | 6 +- 4 files changed, 159 insertions(+), 30 deletions(-) create mode 100644 GOVERNANCE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 8ef73bb..161ffc8 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -10,4 +10,4 @@ ## Testing - Provide some proof you've tested your changes - Example: test results available at ... -- Example: tested on operating system ... +- Example: tested on operating system ... \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d7d5265..f4e2413 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,4 +1,4 @@ -# Contributing Guide +# Contributing to [INSERT YOUR PROJECT NAME] Thanks for taking the time to consider contributing! We very much appreciate your time and effort. This document outlines the many ways you can contribute to our project, and provides detailed guidance on best practices. We look forward to your help! @@ -22,11 +22,15 @@ Reviewers reviewing your patch will look for the sign-off before deciding to acc ### License -Our project has our licensing terms, including rules governing redistribution, documented in our `LICENSE` file. Please take a look at that file and ensure you understand the terms. This will impact how we, or others, use your contributions. +Our project has our licensing terms, including rules governing redistribution, documented in our [LICENSE](LICENSE) file. Please take a look at that file and ensure you understand the terms. This will impact how we, or others, use your contributions. ### Code of Conduct -Our Code of Conduct helps facilitate a positive interaction environment for everyone involved with the team, and provides guidance on what to do if you experience problematic behavior. Read more in our `CODE_OF_CONDUCT.md`, and make sure you agree to its terms. +Our Code of Conduct helps facilitate a positive interaction environment for everyone involved with the team, and provides guidance on what to do if you experience problematic behavior. Read more in our [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md), and make sure you agree to its terms. + +### Governance Model + +Our Governance model helps outline our project's decision making and roles-based expectations. Read more in our [GOVERNANCE.md](GOVERNANCE.md). ### Developer Environment @@ -35,7 +39,16 @@ For patch contributions, see our [Developer Documentation]([INSERT YOUR DEVELOPM At a minimum however to submit patches (if using Git), you'll want to ensure you have: 1. An account on the Version Control System our project uses (i.e. GitHub). 2. The Version Control System client (i.e. Git) installed on your local machine. -3. The ability to edit, build, and test our project on your local machine. Again, see our `README.md` or detailed developer guide for more details +3. The ability to edit, build, and test our project on your local machine. Again, see our [README.md](README.md) or detailed developer guide for more details + +### Communication Channels + +Before contributing changes to our project, it's a great idea to be familiar with our communication channels and to socialize your potential contributions to get feedback early. This will help give you context for your contributions, no matter their form. + +Our communication channels are: +- [Issue tracking system]([INSERT LINK TO ISSUE TRACKING SYSTEM]) - a regularly monitored area to report issues with our software or propose changes +- [Discussion board]([INSERT LINK TO DISCUSSION BOARD OR MAILING LIST]) - an permanently archived place to hold conversations related to our project, and to propose as well as show+tell topics to the contributor team. This resource can be searched for old discussions. +- [INSERT ADDITIONAL COMMUNICATION CHANNELS FOR YOUR PROJECT, EX: SLACK, TWITTER, YOUTUBE, ETC.] ### Communication Channels @@ -72,12 +85,12 @@ Make sure people are aware you're working on a patch! Check out our [issue track #### Choose the Right Branch to Fork Our project typically has the following branches available, make sure to fork either the default branch or a branch someone else already tagged with a particular issue ticket you're working with. -- (default) `main`[INSERT DEFAULT VCS BRANCH NAME HERE] -- [INSERT ADDITIONAL TYPICAL VCS BRANCH NAMES HERE] +- `main`[INSERT DEFAULT VCS BRANCH NAME HERE] - default branch +- [INSERT ADDITIONAL TYPICAL VCS BRANCH NAMES HERE] - ### Make your Modifications -Within your local development environment, this is the stage at which you'll propose your changes, and commit those changes back to version control. See the `README.md` or development guide for more specifics on what you'll need as prerequisites to setup your local development environment. +Within your local development environment, this is the stage at which you'll propose your changes, and commit those changes back to version control. See the [README.md](README.md) or development guide for more specifics on what you'll need as prerequisites to setup your local development environment. #### Commit Messages @@ -97,22 +110,7 @@ Additionally, remember to "Sign-Off" on your commits to align with our [Develope Pull requests are the core way our project will receive your patch contributions. Navigate to your branch on your own fork within the version control system, and submit a pull request or submit the patch text to our project. -Please make sure to provide a meaningful text description to your pull requests, whenever submitted. Use the following template: -``` -## Purpose -- Clear, easy-to-understand sentences outlining the purpose of the PR -## Proposed Changes -- [ADD] ... -- [CHANGE] ... -- [FIX] ... -## Issues -- Links to relevant issues -- Example: issue-XYZ -## Testing -- Provide some proof you've tested your changes -- Example: test results available at ... -- Example: tested on operating system ... -``` +Please make sure to provide a meaningful text description to your pull requests, whenever submitted. Our pull-request template will be auto-generated for you when you create your pull-request. See the template [here]([.github/PULL_REQUEST_TEMPLATE.md]). **Working on your first Pull Request?** See guide: [How to Contribute to an Open Source Project on GitHub](https://kcd.im/pull-request) @@ -167,7 +165,7 @@ I've noticed several other issues that are of the same category as this issue. S #### Submitting Bug Issues Resolving bugs is a priority for our project. We welcome bug reports. However, please make sure to do the following prior to submitting a bug report: -- **Check for duplicates** - there may be a bug report already describing your issue, so check the [issue tracking system]([INSERT LINK TO YOUR ISSUE TRACKING SYSTEM]) first +- **Check for duplicates** - there may be a bug report already describing your issue, so check the [issue tracking system]([INSERT LINK TO YOUR ISSUE TRACKING SYSTEM]) first. Here's some guidance on submitting a bug issue: 1. Navigate to our [issue tracking system]([INSERT LINK TO YOUR ISSUE TRACKING SYSTEM]) and file a new issue @@ -181,7 +179,7 @@ Here's some guidance on submitting a bug issue: #### Submitting New Feature Issues -We welcome new feature requests to help grow our project. However, please make sure to do the following prior to submitting a bug report: +We welcome new feature requests to help grow our project. However, please make sure to do the following prior to submitting a new feature request: - **Check for duplicates** - there may be a new feature issue already describing your issue, so check the [issue tracking system]([INSERT LINK TO YOUR ISSUE TRACKING SYSTEM]) first - **Consider alternatives** - is your feature really needed? Or is there a feature within our project or with a third-party that may help you achieve what you want? @@ -200,7 +198,7 @@ Here's some guidance on submitting a new feature issue: Security vulnerabilities should **not** be filed to the regular issue tracking system. -Report your security vulnerabilities to (see contact links): [INSERT CONTACT METHOD] +Report your security vulnerabilities to (see contact links): [INSERT SECURITY CONTACT LINK HERE] Please be sure to: * Indicate the severity of the vulnerability diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 0000000..d09f59d --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,131 @@ +# [INSERT PROJECT NAME] Project Governance + +This governance model aims to create an open source community that encourages transparency, contributions, and collaboration, but maintains sound technical and quality standards. Our goal is to build a community comprised of members across the [INSERT PROJECT DOMAIN] community and beyond, including from private organizations, universities, government organizations, and international organizations. + +The project follows a fairly liberal contribution model where people and/or organizations who do the most work will have the most influence on project direction. Roles determine decision making influence, and governing committees (e.g. technical steering, project steering) are set up to ensure the project's direction is in-line with requirements / goals while supporting flexibility for future growth and membership. Technical decision making will primarily be made through a "[consensus-seeking](https://en.wikipedia.org/wiki/Consensus-seeking_decision-making)" approach within the respective governing committees. + +## Roles + +| Role | Restricted To | Description | Read/Clone | Propose Pull Request | Comment in Tickets / Discussions | Triage | Review | Commit | Technical Decisions | Project Decisions | +| ----------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | ------------------------------------ | ------------------------------------ | ------------------------------------ | ------------------------------------ | ------------------------------------ | ------------------------------------ | ------------------------------------ | +| User | None | Anyone downloading, deploying, or operating the software to meet a specific objective. | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | +| Contributor | None | Anyone providing input to the project, including: code, issues, documentation, graphics, etc. | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | +| Triager | Contributor | Subset of contributors demonstrating a strong familiarity with the project. | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | +| Collaborator | Contributor | Subset of contributors granted write access to one or more of the project repositories upon selection by TSC | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | +| Technical Steering Committee Member | Collaborator | A subset of collaborators having technical decision making authority and admin privileges | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | +| Project Steering Committee Member | Stakeholders | Sponsor organization representatives (i.e. those providing funding to the project) and key stakeholders with authority to guide project based on requirements, budget, schedule, etc. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | +| Product Manager | Stakeholders | Overall manager of project with final authority over all key decisions when consensus cannot be reached | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | + +### User + +Anyone who has downloaded, deployed, or operated [INSERT PROJECT NAME] to meet a specific objective. This project was primarily designed for [INSERT DESCRIPTION OF PROJECT PURPOSE], but let us know if you've found other uses for it. + +### Contributor + +Contributors include anyone that provides input to the project. This includes code, issues, documentation, graphics, designs, or anything else that tangibly improves the project. We encourage you to start contributing right away by joining our [Discussions]([INSERT LINK TO DISCUSSION BOARD OR MAILING LIST(S)]) or submitting an [Issue]([INSERT LINK TO ISSUE TRACKING SYSTEM]). + +### Triager + +Subset of contributors who have demonstrated a strong familiarity with the project and are regularly contributing to the project via issue creation, commenting, discussions, etc. Triagers are given specific permissions do the following: + + - Label issues and pull requests + - Comment, close, and reopen issues and pull requests + +[List of current Triagers]([INSERT LINK TO GITHUB, GITLAB, ETC. TEAM ASSOCIATED WITH TRIAGERS]) + +### Collaborator + +Subset of contributors who have been given write access to one or more project repositories. Both contributors and collaborators can propose changes to the project via pull requests, but only collaborators can formally review and approve (merge) these requests. Any contributor who has made a non-trivial contribution should be on-boarded as a collaborator in a timely manner. + +If you are planning on making a substantial contribution to the project or feel as though you should be given write access to a repository, please send a request to [INSERT LINK TO EMAIL/GITHUB USER HANDLE] + +[List of current collaborators]([INSERT LINK TO GITHUB, GITLAB, ETC. TEAM ASSOCIATED WITH COLLABORATORS]) + +### Technical Steering Committee Member + +A subset of the collaborators forms the Technical Steering Committee (TSC). The TSC has authority over the following aspects of this project: + +- Technical direction and guidance +- Committee governance and process +- Contribution policy +- Conduct guidelines +- Maintaining the list of collaborators + +#### TSC Committee Members +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] + + +
+ +Emeriti + +#### TSC Emeriti +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] + +
+ +#### Scope + +The TSC is primarily responsible for the following project repositories: + +- [INSERT LINK TO PROJECT REPOSITORIES] + +However, the TSC also has the responsibility to interface with and monitor third-party dependencies of the project for key changes impacting [INSERT PROJECT NAME]. These third-party dependencies include: + +- [INSERT LINK TO DEPENDENT PROJECT REPOSITORIES] + + +#### Decision Making Process + +Any community member can create an issue or comment asking the TSC to review something. Prior to implementing a substantial contribution, the design of that contribution should be reviewed by at least one member of the TSC. If consensus-seeking fails during the review of a pull request or in design discussions, the issue will be addressed by the TSC to make a determination on direction. TSC members will meet regularly and will keep track of decisions made when consensus was not met. + +The TSC can nominate new members at any time. Candidates for membership tend to be collaborators who have shown great dedication to the project and/or experts in a particular domain or project component. TSC members are expected to be active contributors or members who have made significant contributions within the past 12 months. + +### Project Management Committee (PMC) Member + +The Project Management Committee (PMC) is made up of sponsor organization representatives (i.e. those providing funding to the project) and key stakeholders who rely or plan to rely on the project to meet a critical need. The PMC has the following responsibilities: + +- Maintaining the overall project roadmap +- Determining project requirements and commitments to sponsors and stakeholders +- Assessing available resources and allocating them across the project +- Monitoring and reporting on progress against the roadmap +- On-boarding new sponsors and stakeholders +- Overall project governance (including this policy) +- Addressing any legal considerations + +#### PMC Committee Members +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] + +
+ +Emeriti + +#### PMC Emeriti +- [INSERT MEMBER NAME] ([username1]([INSERT LINK TO USERNAME]), [INSERT ORG ASSOCIATION] + +
+ +#### Scope + +The PMC has management authority over the same project repositories over which the TSC has technical authority over. + +#### Decision Making Process + +The PMC will consist of a product manager and additional representative from sponsors and key stakeholders. The PMC or sponsoring organizations can nominate new members at any time. Care should be taken not to include too many members from a single stakeholder project or organization. + +Regular stakeholder meetings are held to discuss current project status and propose changes to the project roadmap. If stakeholder representatives and sponsors concur with these proposals during the meeting, they will be immediately adopted. A member of the PMC will ensure the changes have been captured and recorded. Regular stakeholder meetings will be open to the entire community, but only members of the PMC have decision making authority. + +Additional meetings may be held if consensus is not met or to discuss significant changes to the roadmap due to changes in stakeholder priorities or available resources. Any decision made outside of stakeholder meetings must still be approved by all sponsors and stakeholders. If full consensus cannot be made, the product manager has the final authority to determine project direction. Any non-concurrences from stakeholders or sponsors will be noted. + +### Product Manager + +Overall manager of the project with final authority over all key decisions when consensus cannot be reached within the TSC or PSC. The product manager is often chosen at the onset of project initiation and can be reassigned by the PMC (with institutional approval, if applicable). + +# Acknowledgements + +Much of this governance model was adapted from the other notable open source projects including [node.js](https://github.com/nodejs/node/blob/main/GOVERNANCE.md), [OpenSSL](https://www.openssl.org/policies/omc-bylaws.html), [PostgresQL](https://www.postgresql.org/developer/), and [OpenMCT](https://github.com/nasa/openmct/blob/master/CONTRIBUTING.md). We would like to thank those projects for setting the foundation upon which this model was built. + + + diff --git a/README.md b/README.md index 4ab2fa1..c7a7670 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ twine check dist/* && twine upload --verbose dist/*.whl dist/*.zip ### Test Instructions (if applicable) + 1. [INSERT STEP-BY-STEP TEST INSTRUCTIONS HERE, WITH OPTIONAL SCREENSHOTS] @@ -207,13 +208,12 @@ Interested in contributing to our project? Please see our: [CONTRIBUTING.md](CON **Working on your first pull request?** See guide: [How to Contribute to an Open Source Project on GitHub](https://kcd.im/pull-request) --> -[INSERT LINK TO YOUR CODE_OF_CONDUCT.md OR SHARE TEXT HERE] - +For guidance on our governance approach, including decision-making process and our various roles, please see our governance model at: [GOVERNANCE.md](GOVERNANCE.md) + ## License See our: [LICENSE](LICENSE) From 0b6ee1c876b65a3655579d48f33b9b8044ba66d6 Mon Sep 17 00:00:00 2001 From: IngyHere Date: Thu, 14 Mar 2024 19:20:00 -0700 Subject: [PATCH 2/5] NASA-AMMOS/slim#110: Functional Pylint static code analysis. ... --- .github/workflows/pylint.yml | 71 ++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/pylint.yml diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml new file mode 100644 index 0000000..b45b10d --- /dev/null +++ b/.github/workflows/pylint.yml @@ -0,0 +1,71 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to disable certain Pylint checks in the +# "Analyze" configuration block below. +# +# For more information see: +# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/application-starter-kits/python-starter-kit/ +# +# ******** NOTE ******** +# Pylint is a Python-based linter that works to evaluate Python code. +# +name: "Pylint" + +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [develop] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.10' + - name: Upgrade tooling + run: | + python3 -m pip install --upgrade pip + pip3 install --upgrade build importlib_metadata setuptools setuptools_scm wheel + pip3 install pylint + - name: Install dependencies + run: | + pip3 install -r requirements.txt + pip3 install -e . + - name: Prepare PYTHONPATH + run: | + src_paths=`find ${PWD} -type f -maxdepth 3 -mindepth 2 -name "*.py" -exec dirname {} + | uniq` + pythonpathplus="" + for p in $src_paths + do + pythonpathplus="${pythonpathplus:+:${pythonpathplus}}:$p" + done + echo "PYTHONPATH=${PYTHONPATH:+:${PYTHONPATH}}${pythonpathplus}:." >> $GITHUB_ENV + - name: Analyze + run: | + # disable docstring checks + # See https://pylint.readthedocs.io/en/latest/user_guide/messages/messages_overview.html + # pylint --disable=C0114,C0115,C0116 --recursive=y --output=pylint_report.txt --exit-zero . + pylint --recursive=y --output=pylint_report.txt --exit-zero . + continue-on-error: true + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: pylint_report + path: pylint_report.txt + if-no-files-found: error + overwrite: true + retention-days: 15 \ No newline at end of file From ff171053af8d66b6073ab3dc0ac16b6a478ade5f Mon Sep 17 00:00:00 2001 From: IngyHere Date: Thu, 14 Mar 2024 19:21:12 -0700 Subject: [PATCH 3/5] NASA-AMMOS/slim#89: Functional GitHub Actions-based secrets detection. ... --- .github/workflows/secrets-detection.yml | 97 +++++++++++++++++++++++++ .gitignore | 1 + .secrets.baseline | 15 ++++ 3 files changed, 113 insertions(+) create mode 100644 .github/workflows/secrets-detection.yml create mode 100644 .secrets.baseline diff --git a/.github/workflows/secrets-detection.yml b/.github/workflows/secrets-detection.yml new file mode 100644 index 0000000..e49eb40 --- /dev/null +++ b/.github/workflows/secrets-detection.yml @@ -0,0 +1,97 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to exclude files from analyses. (See "Scan" +# configuration block below.) +# +# For more information, see: +# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection +# +# ******** NOTE ******** +# Detect Secrets will compare known values from the ".secrets.baseline" file +# located in the root of the repository. Should any false detections occur, +# this file should be committed locally with an exception added to .gitignore +# to prevent inadvertent modification or overwrite. +# +name: "Secret Detection" +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [develop] + +jobs: + secret-detection: + name: Secret-Detection + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Upgrade tooling + run: | + python3 -m pip install --upgrade pip + pip install --upgrade git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp + pip install --upgrade jq + - name: Create baseline config + run: | + if [ ! -f .secrets.baseline ] ; + then + # This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files. + # Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results. + echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file." + mkdir empty-dir + detect-secrets scan empty-dir > .secrets.baseline + echo "✅ Blank .secrets.baseline file created successfully." + rm -r empty-dir + else + echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created." + fi + - name: Scan + run: | + # scripts scan repository for new secrets + # backup list of known secrets + cp -pr .secrets.baseline .secrets.new + # find secrets in the repository + detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \ + --exclude-files '\.secrets..*' \ + --exclude-files '\.git.*' \ + --exclude-files '\.mypy_cache' \ + --exclude-files '\.pytest_cache' \ + --exclude-files '\.tox' \ + --exclude-files '\.venv' \ + --exclude-files 'venv' \ + --exclude-files 'dist' \ + --exclude-files 'build' \ + --exclude-files '.*\.egg-info' + # break build when new secrets discovered + # function compares baseline/new secrets w/o listing results -- success(0) when new secret found + compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${1}" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${2}" | sort) | grep -q '>' ; } + # test baseline versus new secret files + if compare_secrets .secrets.baseline .secrets.new; + then + echo "⚠️ Attention Required! ⚠️" >&2 + echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2 + echo "" >&2 + echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2 + echo "" >&2 + echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2 + echo "" >&2 + echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2 + echo "" >&2 + echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2 + exit 1 + else + echo "🟢 Secrets tests PASSED! 🟢" >&1 + echo "No new secrets were detected in comparison to any baseline configurations." >&1 + exit 0 + fi diff --git a/.gitignore b/.gitignore index 72edd65..80dca73 100644 --- a/.gitignore +++ b/.gitignore @@ -51,6 +51,7 @@ coverage.xml *.py,cover .hypothesis/ .pytest_cache/ +.secrets* # Translations *.mo diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..af285a6 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,15 @@ +{ + "version": "1.4.0", + "results": { + "setup.cfg": [ + { + "type": "Email Address", + "filename": "setup.cfg", + "hashed_secret": "3d5f1cb1412e27257b118b0fbf9dcccf390be6cb", + "is_verified": false, + "line_number": 31 + } + ] + }, + "generated_at": "2024-03-14T20:03:34Z" +} From 9130ba62cc5737f1d53beba1c0bf488a8325b4d8 Mon Sep 17 00:00:00 2001 From: IngyHere Date: Thu, 14 Mar 2024 19:37:51 -0700 Subject: [PATCH 4/5] NASA-AMMOS/slim#25: Functional GitHub Actions-based SCRUB (CodeQL) analysis. ... --- .github/workflows/codeql.yml | 100 +++++++++++++++++++++ .github/workflows/codeql/codeql-config.yml | 5 ++ 2 files changed, 105 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/codeql/codeql-config.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..3ac97ba --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,100 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# For more information see: +# https://nasa.github.io/scrub/ +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [develop] + schedule: + # default branch on sundays at 5a + - cron: '0 5 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby'] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + language: ['python'] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + #config-file: ./.github/workflows/codeql/codeql-config.yml + languages: ${{ matrix.language }} + queries: security-and-quality, security-extended + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + + - name: Post-Process Output + run: | + python3 -m pip install nasa-scrub + + results_dir=`realpath ${{ github.workspace }}/../results` + sarif_files=`find $results_dir -name '*.sarif'` + + for sarif_file in $sarif_files + do + output_file="$results_dir/$(basename $sarif_file .sarif).scrub" + + python3 -m scrub.tools.parsers.translate_results $sarif_file $output_file ${{ github.workspace }} scrub + done + + python3 -m scrub.tools.parsers.csv_parser $results_dir + + echo "RESULTS_DIR=$results_dir" >> $GITHUB_ENV + + + - name: Upload CodeQL Artifacts + uses: actions/upload-artifact@v4 + with: + name: codeql-artifacts + path: ${{ env.RESULTS_DIR }} + if-no-files-found: error + overwrite: true + retention-days: 15 diff --git a/.github/workflows/codeql/codeql-config.yml b/.github/workflows/codeql/codeql-config.yml new file mode 100644 index 0000000..17e620e --- /dev/null +++ b/.github/workflows/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CodeQL config" +queries: + - name: Run custom queries + - uses: security-extended + - uses: security-and-quality From 5442d889597cb8c639c382363766b54826c8520f Mon Sep 17 00:00:00 2001 From: IngyHere Date: Fri, 15 Mar 2024 02:01:53 -0700 Subject: [PATCH 5/5] =?UTF-8?q?NASA-AMMOS/slim#69=20NASA-AMMOS/slim#110:?= =?UTF-8?q?=20Update=20publish=20action=20to=20align=20with=20structure=20?= =?UTF-8?q?of=20other=20similar=20configs;=20Minor=20code=20changes=20in?= =?UTF-8?q?=20response=20to=20static=20analysis=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/python-publish.yml | 29 ++++++++++++++++------- slim_sample_project/__init__.py | 2 +- slim_sample_project/api/__init__.py | 2 +- slim_sample_project/api/text_processor.py | 13 ++++++++-- slim_sample_project/hello_world.py | 4 ++-- slim_sample_project/version_tooling.py | 5 ++-- 6 files changed, 37 insertions(+), 18 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 193ff78..be37d8e 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -1,26 +1,37 @@ -# This workflows will upload a Python Package using Twine when a release is created +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# # For more information see: -# https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries - -name: Upload Python Package +# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/application-starter-kits/python-starter-kit/ +# +# ******** NOTE ******** +# This file publishes to TestPyPi. To enable public PyPi the repository flag +# must be removed from the Twine upload call in the "Publish package" block. +# +name: "Upload Python Package" on: release: - types: [published] branches: [main] + types: [published] jobs: deploy: + name: Deploy runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: - python-version: '3.9' + python-version: '3.10' - name: Upgrade tooling run: | python3 -m pip install --upgrade pip diff --git a/slim_sample_project/__init__.py b/slim_sample_project/__init__.py index 1fb901f..087f8a2 100644 --- a/slim_sample_project/__init__.py +++ b/slim_sample_project/__init__.py @@ -14,4 +14,4 @@ from .version import __version__ -ignore = True +IGNORE = True diff --git a/slim_sample_project/api/__init__.py b/slim_sample_project/api/__init__.py index b1cdfe9..7ba5fd5 100644 --- a/slim_sample_project/api/__init__.py +++ b/slim_sample_project/api/__init__.py @@ -1,2 +1,2 @@ # Sample code: REPLACE with project code. -ignore = False +IGNORE = False diff --git a/slim_sample_project/api/text_processor.py b/slim_sample_project/api/text_processor.py index 32247cb..44874b8 100644 --- a/slim_sample_project/api/text_processor.py +++ b/slim_sample_project/api/text_processor.py @@ -1,7 +1,8 @@ # Sample code: REPLACE with project code. -from colorama import Fore, Back, Style from random import randint +from colorama import Fore, Back, Style + class TextWriter: """ @@ -29,8 +30,16 @@ def out(self, text): """ Output writer to apply color settings to terminal text. :param text: The value to write to a string. - :type text: Any type that supports an internal str reporesentation. + :type text: Any type that supports an internal str representation. """ if not text: text = "Hello World" print(self.color, self.bg, self.style, str(text), Style.RESET_ALL) + + def __str__(self): + """ + Override default str method to return a string representation of the text properties. + @return: str representing class instance text properties + """ + desc = f"color: {self.color}, background: {self.bg}, style: {self.style}" + return desc diff --git a/slim_sample_project/hello_world.py b/slim_sample_project/hello_world.py index b3ea638..4b908e7 100644 --- a/slim_sample_project/hello_world.py +++ b/slim_sample_project/hello_world.py @@ -3,7 +3,7 @@ import sys from api.text_processor import TextWriter -from version_tooling import version +from version_tooling import VERSION def main(): @@ -12,7 +12,7 @@ def main(): """ w = TextWriter() w.out("Hello World!") - w.out(version) + w.out(VERSION) print("EXITING!") sys.exit(os.EX_OK) diff --git a/slim_sample_project/version_tooling.py b/slim_sample_project/version_tooling.py index bdc52b9..999fd92 100644 --- a/slim_sample_project/version_tooling.py +++ b/slim_sample_project/version_tooling.py @@ -2,8 +2,7 @@ import version as v try: - version = metadata.version(__name__) + VERSION = metadata.version(__name__) except metadata.PackageNotFoundError: # package is not installed, try reading from slim_sample_project script - version = v.__version__ if v.__version__ else "unset" - pass + VERSION = v.__version__ if v.__version__ else "unset"