From 62a279da5184dcc6b166b976c8cd6f7069140348 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 27 Apr 2023 13:43:38 +0900 Subject: [PATCH 1/3] Added CodeQL code --- .github/workflows/ci.yml | 154 ----------------------------------- .github/workflows/codeql.yml | 31 +++++++ 2 files changed, 31 insertions(+), 154 deletions(-) delete mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index a340ec11c..000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,154 +0,0 @@ -name: CI - -on: - workflow_dispatch: {} - push: - branches: - - master - - beta - - sdk-release/** - - feature/** - tags: - - v[0-9]+.[0-9]+.[0-9]+* - pull_request: - branches: - - master - - beta - - sdk-release/** - - feature/** - -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Python 3 - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - name: lint - run: make lint - - name: fmtcheck - run: make fmtcheck - - build: - name: Build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Set up Python 3 - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - - name: Install tools - run: make venv - - - name: Build and check package - run: | - set -x - source venv/bin/activate - python setup.py clean --all sdist bdist_wheel --universal - python -m twine check dist/* - - - name: 'Upload Artifact' - uses: actions/upload-artifact@v3 - with: - name: dist - path: dist/ - - test: - name: Test - # Specific ubuntu version to support python 3.6 testing - # see https://github.com/actions/setup-python/issues/544#issuecomment-1332535877 for details - # move to ubuntu-latest when we drop 3.6 - runs-on: ubuntu-20.04 - strategy: - matrix: - python-version: - [ - "2.7", - "3.6", - "3.7", - "3.8", - "3.9", - "3.10", - "pypy-2.7", - "pypy-3.7", - "pypy-3.8", - ] - - steps: - - uses: actions/checkout@v3 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.python-version }} - cache: "pip" - cache-dependency-path: "setup.py" - - - name: Upgrade pip and virtualenv to latest - run: pip install --upgrade pip virtualenv - - - uses: stripe/openapi/actions/stripe-mock@master - - - name: Test with pytest - run: make ci-test - - - name: Calculate and publish coverage - run: make coveralls - if: env.COVERALLS_REPO_TOKEN && matrix.python-version == '3.10' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }} - - publish: - name: Publish - if: >- - ((github.event_name == 'workflow_dispatch') || (github.event_name == 'push')) && - startsWith(github.ref, 'refs/tags/v') && - endsWith(github.actor, '-stripe') - needs: [build, test, lint] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Download all workflow run artifacts - uses: actions/download-artifact@v3 - with: - name: dist - path: dist - - name: Set up Python 3 - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - - name: Configure GPG Key - run: | - set -ex - echo $GPG_SIGNING_PRIVKEY | base64 --decode | gpg --import --batch --yes --pinentry-mode loopback --passphrase "$GPG_SIGNING_PASSPHRASE" - env: - GPG_SIGNING_PRIVKEY: ${{ secrets.GPG_SIGNING_PRIVKEY }} - GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} - - name: Install tools - run: make venv - - name: Publish packages to PyPy - run: | - set -ex - source venv/bin/activate - export VERSION=$(cat VERSION) - gpg --detach-sign --local-user $GPG_SIGNING_KEYID --pinentry-mode loopback --passphrase $GPG_SIGNING_PASSPHRASE -a dist/stripe-$VERSION.tar.gz - gpg --detach-sign --local-user $GPG_SIGNING_KEYID --pinentry-mode loopback --passphrase $GPG_SIGNING_PASSPHRASE -a dist/stripe-$VERSION-py2.py3-none-any.whl - - python -m twine upload --verbose dist/stripe-$VERSION.tar.gz dist/stripe-$VERSION-py2.py3-none-any.whl dist/stripe-$VERSION.tar.gz.asc dist/stripe-$VERSION-py2.py3-none-any.whl.asc - env: - GPG_SIGNING_KEYID: ${{ secrets.GPG_SIGNING_KEYID }} - TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} - TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} - - uses: stripe/openapi/actions/notify-release@master - if: always() - with: - bot_token: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..d947d3df6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,31 @@ +jobs: + analyze: + name: Analyze + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + strategy: + fail-fast: false + matrix: + language: + - python + timeout-minutes: 12000 +name: CodeQL +'on': + push: + branches: + - master From 8a09534b77d1c155b21bf8cd96b95c9b23d874e8 Mon Sep 17 00:00:00 2001 From: Arpit Jain <40381412+arpitjain799@users.noreply.github.com> Date: Fri, 28 Apr 2023 06:08:28 +0900 Subject: [PATCH 2/3] Delete .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index d947d3df6..000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,31 +0,0 @@ -jobs: - analyze: - name: Analyze - permissions: - actions: read - contents: read - security-events: write - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - queries: security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - strategy: - fail-fast: false - matrix: - language: - - python - timeout-minutes: 12000 -name: CodeQL -'on': - push: - branches: - - master From 7b9d16e535388f18f71d022b20043b4a6b67171d Mon Sep 17 00:00:00 2001 From: Arpit Jain <40381412+arpitjain799@users.noreply.github.com> Date: Fri, 28 Apr 2023 06:08:30 +0900 Subject: [PATCH 3/3] Add new file --- .github/workflows/codeql.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..94d110b33 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,37 @@ +name: "CodeQL" +on: + workflow_dispatch: + #push: + # branches: [master] + #pull_request: + # branches: [master] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 \ No newline at end of file