diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 9ddde9f6e8..b71e2f81ff 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -31,8 +31,12 @@ jobs: steps: # DO NOT run actions/checkout here, for security reasons # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - - name: Post comment - uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc # v3.37 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 + with: + disable-sudo: false + egress-policy: audit + + - uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc # v3.35 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }} \ No newline at end of file + GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4f391cd76a..93dabee6dc 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,28 +1,27 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action name: Dependency review on: [pull_request] -permissions: - contents: read +permissions: read-all jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit + dependency-review: + name: Dependency review - - name: 'Checkout Repository' - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: 'Dependency Review' - uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3 \ No newline at end of file + runs-on: ubuntu-latest + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b + with: + allow-ghsas: GHSA-pq67-6m6q-mj2v # urllib3 diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml index 3f59c9e713..3357d6161d 100644 --- a/.github/workflows/python-checks.yml +++ b/.github/workflows/python-checks.yml @@ -1,233 +1,330 @@ name: Python checks on: - push: - branches: ["main", "major-release"] - pull_request: - workflow_dispatch: + push: + branches: + - main + - major-release + pull_request: + schedule: + - cron: 0 0 * * 1 + workflow_dispatch: -permissions: - contents: read +permissions: read-all jobs: - test: - strategy: - fail-fast: false - matrix: - python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14-dev"] # uv ignores upper python version so we can test 3.14 here - os: ["ubuntu-latest", "windows-latest", "macos-latest"] - limited-dependencies: ["", "TRUE"] - - runs-on: ${{ matrix.os }} - - permissions: - contents: write - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: ${{ matrix.python-version }} - - - name: Install uv - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce # 0.4.12 - - - name: Install dependencies - continue-on-error: ${{ contains(matrix.python-version, '3.14') }} - env: - PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} - run: | - uv pip install --system -e .[all] - uv pip install --system -r requirements-dev.txt - - - name: Test with pytest - continue-on-error: ${{ contains(matrix.python-version, '3.14') }} - run: | - pytest - env: - COVERAGE_FILE: ".coverage.${{ matrix.os }}.${{ matrix.python-version }}${{ matrix.limited-dependencies }}" - - - name: Store coverage file - if: ${{ !contains(matrix.python-version, '3.14') }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: coverage-${{ matrix.os }}${{ matrix.python-version }}${{ matrix.limited-dependencies }} - path: .coverage.${{ matrix.os }}.${{ matrix.python-version }}${{ matrix.limited-dependencies }} - include-hidden-files: true - - ruff-format: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python 3.13 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: "3.13" - - - name: Install uv - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce # 0.4.12 - - - name: Install dependencies - run: | - uv pip install --system -r requirements-dev.txt - - - name: Run ruff format - run: | - ruff format --diff . - - ruff-check: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python 3.13 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: "3.13" - - - name: Install uv - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce # 0.4.12 - - - name: Install dependencies - run: | - uv pip install --system -r requirements-dev.txt - - - name: Run ruff - run: | - ruff check --output-format=github . - - bandit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python 3.13 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: "3.13" - - - name: Install uv - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce # 0.4.12 - - - name: Install bandit - run: | - uv pip install --system -r requirements-dev.txt - - - name: Run bandit scan - run: | - bandit --confidence-level=high --severity-level=high -c pyproject.toml -r . - - pre-commit: - runs-on: ubuntu-latest - needs: - - ruff-format - - ruff-check - - bandit - - permissions: - contents: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit - - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python 3.13 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: 3.13 - cache: pip - - - name: Install uv - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce # 0.4.12 - - - name: Install module and dependencies - run: | - uv pip install --system -r requirements.txt - uv pip install --system -r requirements-dev.txt - uv pip install --system -e . - - - id: cache-pre-commit - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 - with: - path: .pre-commit-cache - key: ubuntu-latest-pre-commit-3.13 - - - name: Run pre-commit - run: | - pre-commit install - pre-commit run --all-files - env: - PRE_COMMIT_HOME: .pre-commit-cache - - coverage: - runs-on: ubuntu-latest - needs: test - - permissions: - pull-requests: write - contents: write - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 - id: download - with: - pattern: coverage-* - merge-multiple: true - - - name: Coverage comment - id: coverage_comment - uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc # v3.37 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - MERGE_COVERAGE_FILES: true - - - name: Store Pull Request comment to be posted - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' - with: - name: python-coverage-comment-action - path: python-coverage-comment-action.txt - - pip-install: - strategy: - fail-fast: false - matrix: - python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14-dev"] - os: ["ubuntu-latest", "windows-latest", "macos-latest"] - limited-dependencies: ["", "TRUE"] - - runs-on: ${{ matrix.os }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit - - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: ${{ matrix.python-version }} - cache: pip - - - name: Install dependencies - continue-on-error: ${{ contains(matrix.python-version, '3.14') }} - env: - PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} - run: | - pip install -r requirements-dev.txt - pip install -e .[all] + pytest: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + python-version: + - '3.9' + - '3.10' + - '3.11' + - '3.12' + - '3.13' + - '3.13-dev' + os: + - ubuntu-latest + - windows-latest + - macos-latest + resolution: + - highest + - limited-dependencies + + permissions: + contents: write + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: audit + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: ${{ matrix.python-version }} + cache: pip + + - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce + + - if: matrix.resolution != 'limited-dependencies' + continue-on-error: ${{ contains(matrix.python-version, '3.14') }} + run: | + uv pip install --system --resolution ${{ matrix.resolution }} -e .[all] + uv pip install --system --resolution ${{ matrix.resolution }} -r requirements-dev.txt + + - if: matrix.resolution == 'limited-dependencies' + continue-on-error: ${{ contains(matrix.python-version, '3.14') }} + env: + PARSONS_LIMITED_DEPENDENCIES: 'TRUE' + run: | + uv pip install --system -e .[all] + uv pip install --system -r requirements-dev.txt + + - id: cache-pytest + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 + with: + path: .pytest_cache + key: pytest-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.resolution }}-${{ hashFiles('pyproject.toml') }} + + - run: pytest + continue-on-error: ${{ contains(matrix.python-version, '3.14') }} + env: + COVERAGE_FILE: ".coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }}" + + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + if: ${{ !contains(matrix.python-version, '3.14') }} + with: + name: coverage-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }} + path: .coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }} + include-hidden-files: true + + ruff-format: + runs-on: ubuntu-latest + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: 3.13 + cache: pip + + - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce + + - run: uv pip install --system -r requirements-dev.txt + + - id: cache-ruff + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 + with: + path: .ruff_cache + key: ruff-${{ hashFiles('pyproject.toml') }} + + - id: run-ruff + run: ruff format --diff . + + ruff-check: + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: 3.13 + cache: pip + + - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce + + - run: uv pip install --system -r requirements-dev.txt + + - id: cache-ruff + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 + with: + path: .ruff_cache + key: ruff-${{ hashFiles('pyproject.toml') }} + + - id: run-ruff-sarif + run: | + ruff check --output-format=sarif -o results.sarif . + + - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f + if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome) + with: + sarif_file: results.sarif + + - id: run-ruff + if: failure() && contains('["failure"]', steps.run-ruff-sarif.outcome) + run: | + ruff check --output-format=github . + + bandit: + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: 3.13 + cache: pip + + - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce + + - run: uv pip install --system -r requirements-dev.txt + + - id: run-bandit-sarif + run: | + bandit --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' --format 'sarif' --output 'results.sarif' + + - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f + if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome) + with: + sarif_file: results.sarif + + - id: run-bandit + if: failure() && contains('["failure"]', steps.run-bandit-sarif.outcome) + run: | + bandit --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' + + coverage: + runs-on: ubuntu-latest + needs: pytest + + permissions: + pull-requests: write + contents: write + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + img.shields.io:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 + with: + pattern: coverage-* + merge-multiple: true + + - id: coverage_comment + uses: py-cov-action/python-coverage-comment-action@0544a9c648672334d94ec5dd1add7410b4470ddc + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MERGE_COVERAGE_FILES: true + + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' + with: + name: python-coverage-comment-action + path: python-coverage-comment-action.txt + + pre-commit: + runs-on: ubuntu-latest + needs: + - ruff-format + - ruff-check + - bandit + + permissions: + contents: write + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + proxy.golang.org:443 + pypi.org:443 + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: 3.13 + cache: pip + + - uses: install-pinned/uv@e29cd923c49146a4fcc66eb0c8bea117e33ed9ce + + - run: uv pip install --system -r requirements-dev.txt + + - id: cache-pre-commit + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 + with: + path: .pre-commit-cache + key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-${{ hashFiles('pyproject.toml') }} + + - run: | + pre-commit install + pre-commit run --all-files + env: + PRE_COMMIT_HOME: .pre-commit-cache + + pip-install: + strategy: + fail-fast: false + matrix: + python-version: + - '3.9' + - '3.10' + - '3.11' + - '3.12' + - '3.13' + - '3.14-dev' + os: + - ubuntu-latest + - windows-latest + - macos-latest + limited-dependencies: + - 'TRUE' + - '' + + runs-on: ${{ matrix.os }} + + steps: + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 + with: + disable-sudo: true + egress-policy: audit + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: ${{ matrix.python-version }} + cache: pip + + - continue-on-error: ${{ contains(matrix.python-version, '3.14') }} + env: + PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} + run: | + pip install -r requirements-dev.txt + pip install -e .[all] + diff --git a/.github/workflows/security_scorecard.yml b/.github/workflows/security_scorecard.yml index f23c9f6ce7..575978bc2f 100644 --- a/.github/workflows/security_scorecard.yml +++ b/.github/workflows/security_scorecard.yml @@ -21,7 +21,9 @@ permissions: read-all jobs: analysis: name: Scorecard analysis + runs-on: ubuntu-latest + permissions: # Needed to upload the results to code-scanning dashboard. security-events: write @@ -32,48 +34,34 @@ jobs: # actions: read steps: - - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + api.securityscorecards.dev:443 + auth.docker.io:443 + fulcio.sigstore.dev:443 + github.com:443 + index.docker.io:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - - name: "Checkout code" - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: persist-credentials: false - - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5 + - uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 with: sarif_file: results.sarif \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9912ae00b5..75114c5df2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,12 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 'v0.11.7' + rev: v0.13.0 hooks: - id: ruff - id: ruff-format - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit - args: ['--confidence-level=high', '--severity-level=high', '-c', 'pyproject.toml'] - additional_dependencies: ['bandit[toml]'] + args: ['--confidence-level', 'medium', '--severity-level', 'medium'] + files: '^parsons' diff --git a/pyproject.toml b/pyproject.toml index ca33cef29f..2b5f75609f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -94,7 +94,7 @@ docstring-code-format = false docstring-code-line-length = "dynamic" [tool.pytest.ini_options] -addopts = "-rf --cov=parsons -n auto" +addopts = "-rf --cov=parsons --no-cov-on-fail -n auto" testpaths = [ "test", ] @@ -107,12 +107,6 @@ filterwarnings = [ "ignore:Argument login_or_token is deprecated:DeprecationWarning", ] -[tool.bandit] -exclude_dirs = [ - ".venv/", - "test" -] - [tool.isort] profile = "hug" src_paths = [ diff --git a/requirements-dev.txt b/requirements-dev.txt index 2f0801cc10..09298535b8 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,15 +1,16 @@ # Testing Requirements -bandit[toml]==1.8.3 +bandit[sarif]==1.8.6 coverage==7.10.6 -pre-commit==4.2.0 -pytest-cov==6.1.1 +pre-commit==4.3.0 +pytest-cov==6.2.1 pytest-datadir==1.8.0 pytest-mock==3.14.1 pytest-xdist==3.8.0 pytest==8.4.1 requests-mock==1.12.1 -ruff==0.11.7 -testfixtures==8.3.0 +ruff==0.13.0 +testfixtures==8.3.0;python_version<'3.11' +testfixtures==9.1.0;python_version>='3.11' # Build and publish requirements twine==6.1.0 @@ -19,8 +20,8 @@ build # Docs Requirements myst-parser==3.0.1;python_version<'3.10' myst-parser==4.0.1;python_version>='3.10' -sphinx-multiversion +sphinxcontrib-googleanalytics==0.5 +sphinx-multiversion==0.2.4 sphinx-rtd-theme==3.0.2 -sphinxcontrib-googleanalytics -Sphinx==7.4.7;python_version<'3.10' -Sphinx==8.1.3;python_version>='3.10' +Sphinx==7.4.7;python_version<'3.11' +Sphinx==8.2.3;python_version>='3.11' diff --git a/requirements.txt b/requirements.txt index 494bf1ab85..e8f81d5a05 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,3 @@ -pyairtable==3.2.0 azure-storage-blob==12.25.1 boto3>=1.17.98 boxsdk==3.14.0 @@ -8,7 +7,7 @@ censusgeocode==0.5.2 civis==1.16.1;python_version<"3.10" # later Civis versions do not support Python 3.9 civis==2.4.3;python_version>="3.10" curlify==3.0.0 -dbt_core>=1.5.0 +dbt-core>=1.5.0 defusedxml>=0.7.1, <=0.8.0 facebook-business==22.0.2 google-api-core==2.25.1 @@ -29,15 +28,17 @@ paramiko==4.0.0 petl==1.7.17 psycopg2-binary==2.9.9;python_version<"3.13" psycopg2-binary==2.9.10;python_version>="3.13" +pyairtable==3.2.0 PyGitHub==2.7.0 python-dateutil==2.9.0.post0 requests==2.32.4 -requests_oauthlib==2.0.0 +requests-oauthlib==2.0.0 setuptools==80.9.0 simple-salesforce==1.12.6 simplejson==3.20.1 slackclient==1.3.1 sqlalchemy >= 1.4.22, != 1.4.33, < 3.0.0 # Prefect does not work with 1.4.33 and >=2.0.0 has breaking changes +sshtunnel==0.4.0 suds-py3==1.4.5.0 surveygizmo==1.2.3 twilio==9.6.0 @@ -50,5 +51,4 @@ xmltodict==0.15.0 jinja2>=3.0.2 selenium==3.141.0 us==3.2.0 -sshtunnel==0.4.0 diff --git a/test/test_van/test_people.py b/test/test_van/test_people.py index 21642ba3c5..c072ddcb05 100644 --- a/test/test_van/test_people.py +++ b/test/test_van/test_people.py @@ -186,7 +186,7 @@ def test_apply_canvass_result(self, m): self.van.apply_canvass_result(2335282, 18, id_type="DWID") # test canvassing via phone or sms without providing phone number - self.assertRaises(Exception, self.van.apply_canvass_result, 2335282, 18, contact_type_id=37) + self.assertRaises(HTTPError, self.van.apply_canvass_result, 2335282, 18, contact_type_id=37) # test canvassing via phone or sms with providing phone number m.post(self.van.connection.uri + "people/2335282/canvassResponses", status_code=204)