Skip to content

PMOD-3426: Upgrade to Python Version 3.12 #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jesskranz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

PMOD-3426: Upgrade to Python Version 3.12 #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest]
python-version: [3.7, 3.8]
python-version: ['3.12']
platform: [x64]
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v2
- uses: actions/checkout@v4
Copy link
Copy Markdown

@arnica-github-connector arnica-github-connector bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability

By default, actions/checkout persists a GitHub token in the checked-out repository's .git/config file so subsequent git operations can authenticate. This token typically has write access to repository contents. The credential remains on the runner filesystem for all subsequent steps, meaning a compromised or malicious step could exfiltrate it. Additionally, if an actions/upload-artifact step packages the workspace -- including the .git directory -- into an artifact, the credential becomes downloadable by anyone with access. While the default GITHUB_TOKEN expires after the workflow run completes, this pattern is especially dangerous when a repository configures long-lived credentials such as personal access tokens (PATs) or deploy keys, which would remain valid well beyond the run.

Recommendation: For actions/checkout findings, add persist-credentials: false in a with block directly under the uses line to prevent the token from being written to .git/config. For actions/upload-artifact findings, the suggested auto-fix (persist-credentials: false) is not a valid parameter for that action; instead, ensure the preceding actions/checkout step sets persist-credentials: false, and scope the artifact path to specific build output folders so .git is never included. If later steps need authenticated git operations, pass the token as a step-level environment variable (e.g., env: with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}) rather than persisting it in the repository config where every subsequent step can access it.

Severity: Medium ⚠️
Status: Open 🔴

References:

  1. https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

More details:

🌻 View in Arnica

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

To acknowledge the finding as a valid code risk: [arnica] ack <acknowledge additional details>

To dismiss the risk with a reason: [arnica] dismiss <fp|accept|capacity> <dismissal reason>

Examples

  • [arnica] ack This is a valid risk and I'm looking into it

  • [arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive)

  • [arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system

  • [arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint

- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Preparing environment
Expand Down
2 changes: 1 addition & 1 deletion noxfile.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

TEST_DEPENDENCIES = ["pytest", "mock"]

@nox.session(python=['3.7', '3.8'])
@nox.session(python=['3.12'])
def tests(session):
session.install(".")
session.install(*TEST_DEPENDENCIES)
Expand Down
7 changes: 3 additions & 4 deletions setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def run_tests(self):
sys.exit(pytest.main(self.test_args))


version = "1.0.5"
version = "1.0.9"

setup(
name="kubeluigi",
Expand All @@ -26,8 +26,7 @@ def run_tests(self):
long_description_content_type="text/markdown",
classifiers=[
"Development Status :: 4 - Beta",
"Programming Language :: Python :: 3.7",
"Programming Language :: Python :: 3.8",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python",
"Intended Audience :: Developers",
"License :: OSI Approved :: Apache Software License",
Expand All @@ -40,6 +39,6 @@ def run_tests(self):
license="Apache License 2.0",
packages=find_packages(exclude=["tests"]),
cmdclass={"test": PyTest},
install_requires=["kubernetes>=17.17.0", "luigi", "PyYaml==5.4.1"],
install_requires=["kubernetes>=17.17.0", "luigi", "PyYaml>=6.0.1"],
entry_points={},
)
Loading