CodeQL scanning can run always on all code #45541
Merged
+0
−57
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself.
potiuk
force-pushed
the
simplify-codeql-scanning-job-conditions
branch
from
46060b8 to
2b70c82
Compare
gopidesupavan
approved these changes
Jan 10, 2025
potiuk
added a commit
that referenced
this pull request
Jan 10, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning
potiuk
added a commit
that referenced
this pull request
Jan 10, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262)
potiuk
added a commit
that referenced
this pull request
Jan 10, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262)
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049)
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 11, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 12, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 12, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
potiuk
added a commit
that referenced
this pull request
Jan 12, 2025
This is a bulk change that synchronizes dev/ci scripts for v2-10-test branch with main #45266 - including follow-ups. Rather than cherry-picking relevant PRs, this one gets the latest version of the scripts from main and updates the branch with some changes to adapt them to v2-10-test (such as bringing back python 3.8 support, removing some providers checks after the bulk move of providers and making sure all tests are passing. This is far easier than cherry-picking the changes, because for the v2-10-test we stopped cherry-picking CI changes which was deemed unnecessary (we used to do it for all previous branches) but this made it far more difficult (if not impossible) to cherry-pick individual changes. Fortunately, the CI scripts are maintained in the way that their latest version **should** in principle work for a v2-* branch and hopefully after just a few adjustments we should be able to synchronize the changes from main by updating all relevant CI/DEV scripts, dockerfile images, workflows, pre-commits etc. Add actions in codeql workflows to scan github workflow actions (#45534) * add actions in codeql workflows to scan github workflow actions * add actions in codeql workflows to scan github workflow actions CodeQL scanning can run always on all code (#45541) The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself. Add explicit permissions for all workflow-run workflows (#45548) Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning Remove contents: write permission from generate-constraints (#45558) The write permission cannot be set for PRs from forks in the call workflow - so we have to come back to implicit permissions and make explicit permissions passing a bit differently. (cherry picked from commit ae32ebc) Bump trove-classifiers from 2025.1.7.14 to 2025.1.10.15 (#45561) Bumps [trove-classifiers](https://github.com/pypa/trove-classifiers) from 2025.1.7.14 to 2025.1.10.15. - [Release notes](https://github.com/pypa/trove-classifiers/releases) - [Commits](pypa/trove-classifiers@2025.1.7.14...2025.1.10.15) --- updated-dependencies: - dependency-name: trove-classifiers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f3fd262) Add optional --image-file-dir to store loaded files elsewhere (#45564) While backorting the "pull_request_target" removal to v2-10-test branches it turned out that there is not enough disk space on Public runner to load all 5 images and keep the file dump at the same time in the same filesystem. This PR allows to choose where the load/save files will be stored and in the github runner environment we store the files in "/mnt" wnich is a separate folder with 40GB free. (cherry picked from commit 6628049) Fix --from-pr feature for image load and stabilize help This is a follow-up after #45564 - it fixes the `--from-pr` and `--from-run` to work (it was failing with file does not exist). Also found out that gettempdir might return different directory depending on which is your designated tmp directory (for example in MacOS this is is a longer path in /var/.....) - so we have to force the default during help generation to always return "/tmp" so that the --help images do not change depending on which system you are and what your tmp directory is.
agupta01
pushed a commit
to agupta01/airflow
that referenced
this pull request
Jan 13, 2025
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself.
karenbraganz
pushed a commit
to karenbraganz/airflow
that referenced
this pull request
Jan 13, 2025
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself.
HariGS-DB
pushed a commit
to HariGS-DB/airflow
that referenced
this pull request
Jan 16, 2025
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself.
dauinh
pushed a commit
to dauinh/airflow
that referenced
this pull request
Jan 24, 2025
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex We can just run all CodeQL scans always. This has been suggested by actions codeql scan itself.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The CodeQL scannig is fast and having custom configuration to select which scanning to run should be run makes it unnecessarily complex
We can just run all CodeQL scans always.
This has been suggested by actions codeql scan itself.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.