From b5c0c3848355dee64751bd1fa1fe254402aa0f07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Jul 2025 12:22:21 +0000 Subject: [PATCH 1/3] build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.12.2 to 2.13.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/6c439dc8bdf85cadbbce9ed30d1c7b959517bc49...ec9f2d5744a09debf3a187a3f4f675c53b671911) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/actionlint.yml | 2 +- .github/workflows/docs.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/pypi.yml | 6 +++--- .github/workflows/test.yml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index ee183a6..6fa239a 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e81f262..84dfb6f 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: "Checkout" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fa8fb48..198a905 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -59,7 +59,7 @@ jobs: tox -e mypy steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 8694de5..6882dd3 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -65,7 +65,7 @@ jobs: steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -97,7 +97,7 @@ jobs: steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 01f0f87..1e6f435 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -48,7 +48,7 @@ jobs: - "ubuntu-latest" steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs From 895b12139332a6347207b5db6d543fa23ce9e47a Mon Sep 17 00:00:00 2001 From: BJ Hargrave Date: Wed, 16 Jul 2025 08:50:14 -0400 Subject: [PATCH 2/3] mypy: Ignore invalid error Signed-off-by: BJ Hargrave --- src/instructlab/schema/taxonomy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/instructlab/schema/taxonomy.py b/src/instructlab/schema/taxonomy.py index fe927ac..e24fa44 100644 --- a/src/instructlab/schema/taxonomy.py +++ b/src/instructlab/schema/taxonomy.py @@ -321,7 +321,7 @@ def _schema_validate(self, text: str, taxonomy: Taxonomy) -> None: validator_cls = validator_for(schema) # mypy doesn't understand attrs classes fields, see: https://github.com/python/mypy/issues/5406 registry: SchemaRegistry = Registry(retrieve=retrieve) # type: ignore[call-arg] - validator: Validator = validator_cls(schema, registry=registry) + validator: Validator = validator_cls(schema, registry=registry) # type: ignore[arg-type] for validation_error in validator.iter_errors(taxonomy.contents): yaml_path = validation_error.json_path[1:] From c9c9c3abd5334c6cb9a6eb9df931a3f262e109b2 Mon Sep 17 00:00:00 2001 From: BJ Hargrave Date: Wed, 16 Jul 2025 09:15:28 -0400 Subject: [PATCH 3/3] Change egress-policy to block Signed-off-by: BJ Hargrave --- .github/workflows/actionlint.yml | 10 ++- .github/workflows/docs.yml | 5 +- .github/workflows/lint.yml | 8 +- .github/workflows/pypi.yml | 147 ++++++++++++++++++------------- .github/workflows/test.yml | 7 +- 5 files changed, 111 insertions(+), 66 deletions(-) diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 6fa239a..a35f9d6 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -32,7 +32,15 @@ jobs: - name: "Harden Runner" uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + auth.docker.io:443 + cdn.fwupd.org:443 + github.com:443 + objects.githubusercontent.com:443 + production.cloudflare.docker.com:443 + raw.githubusercontent.com:443 + registry-1.docker.io:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 84dfb6f..b2b638d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -35,7 +35,10 @@ jobs: - name: "Harden Runner" uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + github.com:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 198a905..e1cdd76 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -61,7 +61,13 @@ jobs: - name: "Harden Runner" uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + json-schema.org:443 + pypi.org:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 6882dd3..ed35af4 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -34,20 +34,27 @@ jobs: name: Build and check packages runs-on: ubuntu-latest steps: - - name: "Harden Runner" - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # for setuptools-scm - fetch-depth: 0 - - - name: "Build and Inspect" - uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0 + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + astral.sh:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + release-assets.githubusercontent.com:443 + + - name: "Checkout" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # for setuptools-scm + fetch-depth: 0 + + - name: "Build and Inspect" + uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0 # push to Test PyPI on # - a new GitHub release is published @@ -64,21 +71,29 @@ jobs: needs: build-package steps: - - name: "Harden Runner" - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: "Download build artifacts" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: Packages - path: dist - - - name: "Upload to Test PyPI" - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 - with: - repository-url: https://test.pypi.org/legacy/ + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + fulcio.sigstore.dev:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev:443 + test.pypi.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: "Download build artifacts" + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: Packages + path: dist + + - name: "Upload to Test PyPI" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + with: + repository-url: https://test.pypi.org/legacy/ # push to Production PyPI on # - a new GitHub release is published @@ -96,36 +111,44 @@ jobs: needs: build-package steps: - - name: "Harden Runner" - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: "Download build artifacts" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: Packages - path: dist - - - name: "Sigstore sign package" - uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1 - with: - inputs: | - ./dist/*.tar.gz - ./dist/*.whl - release-signing-artifacts: false - - - name: "Upload artifacts and signatures to GitHub release" - run: | - gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # PyPI does not accept .sigstore artifacts and - # gh-action-pypi-publish has no option to ignore them. - - name: "Remove sigstore signatures before uploading to PyPI" - run: | - rm ./dist/*.sigstore.json - - - name: "Upload to PyPI" - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + fulcio.sigstore.dev:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev:443 + pypi.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: "Download build artifacts" + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: Packages + path: dist + + - name: "Sigstore sign package" + uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1 + with: + inputs: | + ./dist/*.tar.gz + ./dist/*.whl + release-signing-artifacts: false + + - name: "Upload artifacts and signatures to GitHub release" + run: | + gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # PyPI does not accept .sigstore artifacts and + # gh-action-pypi-publish has no option to ignore them. + - name: "Remove sigstore signatures before uploading to PyPI" + run: | + rm ./dist/*.sigstore.json + + - name: "Upload to PyPI" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1e6f435..4b25081 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,7 +50,12 @@ jobs: - name: "Harden Runner" uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2