Github Actions Rebuild (#1132)

* update ruff

* add dependabot

* add dependency review

* harden security scorecard

* run scorecard on major-release PRs

* use defusedxml

* add usedforsecurity flag to hashlib.md5

* correct comment for sqlalchemy

* modularize python check action

* update actions/upload-artifact

Author: Wil T

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /docs
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/dependency-review.yml

@@ -0,0 +1,28 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: Dependency review
+
+on: [pull_request]
+
+permissions:
+    contents: read
+
+jobs:
+    dependency-review:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+              with:
+                  egress-policy: audit
+
+            - name: 'Checkout Repository'
+              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+            - name: 'Dependency Review'
+              uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/pip-install.yml

@@ -0,0 +1,168 @@
+name: Python checks
+
+on:
+    push:
+        branches: [ "main", "major-release" ]
+    pull_request:
+        branches: [ "main", "major-release" ]
+    workflow_dispatch:
+
+permissions:
+    contents: read
+
+jobs:
+    test:
+        strategy:
+            fail-fast: false
+            matrix:
+                python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+                os: ["ubuntu-latest", "windows-latest", "macos-latest"]
+                limited-dependencies: ["", "TRUE"]
+
+        runs-on: ${{ matrix.os }}
+
+        steps:
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python ${{ matrix.python-version }}
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: ${{ matrix.python-version }}
+
+            - name: Install uv
+              uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1  # 0.4.12
+
+            - name: Install dependencies
+              env:
+                  PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }}
+              run: |
+                uv pip install --system -e .[all]
+                uv pip install --system -r requirements-dev.txt
+
+            - name: Test with pytest
+              run: |
+                pytest
+
+    ruff-format:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python 3.12
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: "3.12"
+
+            - name: Install uv
+              uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1  # 0.4.12
+
+            - name: Install dependencies
+              run: |
+                uv pip install --system -r requirements-dev.txt
+
+            - name: Run ruff format
+              run: |
+                ruff format --diff --target-version=py38 .
+
+    ruff:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python 3.12
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: "3.12"
+
+            - name: Install uv
+              uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1  # 0.4.12
+
+            - name: Install dependencies
+              run: |
+                uv pip install --system -r requirements-dev.txt
+
+            - name: Run ruff
+              run: |
+                ruff check --output-format=github .
+
+    bandit:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python 3.12
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: "3.12"
+
+            - name: Install uv
+              uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1  # 0.4.12
+
+            - name: Install bandit
+              run: |
+                uv pip install --system -r requirements-dev.txt
+
+            - name: Run bandit scan
+              run: |
+                bandit -c pyproject.toml -r . -ll -ii
+
+    coverage:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python 3.12
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: "3.12"
+
+            - name: Install uv
+              uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1  # 0.4.12
+
+            - name: Install dependencies
+              run: |
+                uv pip install --system -e .[all]
+                uv pip install --system -r requirements-dev.txt
+
+            - name: Test with pytest
+              run: |
+                coverage run -m pytest
+
+            - name: Check coverage
+              run: |
+                coverage report -m --skip-covered --fail-under=75
+
+    pip-install:
+        strategy:
+            fail-fast: false
+            matrix:
+                python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+                os: ["ubuntu-latest", "windows-latest", "macos-latest"]
+                limited-dependencies: ["", "TRUE"]
+
+        runs-on: ${{ matrix.os }}
+
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+              with:
+                  egress-policy: audit
+
+            - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+            - name: Set up Python ${{ matrix.python-version }}
+              uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+              with:
+                  python-version: ${{ matrix.python-version }}
+                  cache: pip
+
+            - name: Install dependencies
+              env:
+                  PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }}
+              run: |
+                  pip install -r requirements-dev.txt
+                  pip install -e .[all]

.github/workflows/python-checks.yml

@@ -3,14 +3,15 @@
 # policy, and support documentation.
 
 name: Scorecard supply-chain security
+
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "major-release" ]
   schedule:
     - cron: '45 16 * * 2'
 
@@ -31,6 +32,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -59,7 +65,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +74,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif