Skip to content

Python maintenance #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
reweeden wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Python maintenance #304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d681dcd
Update GitHub Actions
reweeden Apr 2, 2026
cea512e
Convert project setup to pyproject.toml with uv
reweeden Apr 2, 2026
8123426
Update typing
reweeden Apr 2, 2026
f13330c
Add ruff formatting
reweeden Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,29 @@ name: lint
on:
pull_request:

permissions:
contents: read

jobs:
flake8:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v2
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: 3.9
python-version: "3.10"

- uses: TrueBrain/actions-flake8@v2
with:
flake8_version: 6.0.0
plugins: flake8-isort==6.0.0

ruff-format:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: astral-sh/ruff-action@v3
with:
version: "~=0.13.3"
args: format --check --diff --output-format=github
Comment on lines +23 to +30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 days ago

In general, the fix is to explicitly declare the minimal required GITHUB_TOKEN permissions in the workflow, either at the workflow root (applied to all jobs) or per job. Since both jobs only require read access to repository contents, we can set permissions: contents: read at the top level so both flake8 and ruff-format jobs inherit it.

The best fix without changing functionality is to add a root-level permissions block right after the on: section in .github/workflows/lint.yml. This will constrain the GITHUB_TOKEN for all jobs to read-only repository contents, matching the CodeQL suggestion. No imports or additional methods are needed; this is purely a YAML configuration change.

Concretely, in .github/workflows/lint.yml, after line 3 (pull_request:) and before line 5 (jobs:), insert:

permissions:
  contents: read

This documents and enforces least-privilege permissions for the workflow.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   flake8:
     runs-on: ubuntu-latest
EOF
@@ -2,6 +2,9 @@
on:
pull_request:

permissions:
contents: read

jobs:
flake8:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Copy Markdown
Contributor

@gjclark gjclark Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't it though? >.<

permissions:
  contents: read

33 changes: 18 additions & 15 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,26 +6,29 @@ on:
branches:
- main

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v1
with:
python-version: 3.9
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.10"

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Install dependencies
run: |
python -m pip install uv
uv sync

- run: pip install pytest-github-actions-annotate-failures
- run: uv pip install pytest-github-actions-annotate-failures

- run: py.test --cov=rain_api_core --cov-report=term-missing --cov-report=xml --cov-branch --doctest-modules rain_api_core tests
- run: uv run pytest --cov=src/rain_api_core --cov-report=term-missing --cov-report=xml --cov-branch --doctest-modules src/rain_api_core tests

- name: Report coverage
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
- name: Report coverage
uses: codecov/codecov-action@v6
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Python
*.pyc
.venv
uv.lock

# IDE
.idea
Expand All @@ -11,3 +12,6 @@
# Tests
.hypothesis
.coverage

# Other
build
10 changes: 2 additions & 8 deletions extra/policy_gen_sandbox.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,7 @@ def handle_text():
tk.Label(frm_content, text="Bucket map YAML").grid(row=0, column=0)

txt_bucketmap = tk.Text(frm_content)
txt_bucketmap.bind(
"<Key>",
lambda _: window.after(1, handle_text)
)
txt_bucketmap.bind("<Key>", lambda _: window.after(1, handle_text))
txt_bucketmap.grid(row=1, column=0, sticky="nsew")

# Policy panel
Expand All @@ -65,10 +62,7 @@ def handle_text():
tk.Label(frm_groups, text="User Groups: ").grid(row=0, column=0)
var_group = tk.StringVar(value="null")
entry_groups = tk.Entry(frm_groups, textvariable=var_group)
entry_groups.bind(
"<Key>",
lambda _: window.after(1, handle_text)
)
entry_groups.bind("<Key>", lambda _: window.after(1, handle_text))
entry_groups.grid(row=0, column=1)

# Minified size indicator
Expand Down
30 changes: 30 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[build-system]
requires = ["uv_build>=0.10.2,<0.11.0"]
build-backend = "uv_build"

[project]
name = "rain-api-core"
version = "0.1.0"
description = "RAIN API Core"
readme = "README.md"
authors = [
{ name = "Rohan Weeden", email = "reweeden@alaska.edu" }
]
requires-python = "~=3.10"
dependencies = [
"cachetools~=5.0",
"jinja2~=3.0",
"netaddr~=1.0",
"pyjwt[crypto]~=2.0",
"pyyaml~=6.0",
]

[dependency-groups]
dev = [
"boto3~=1.35",
"hypothesis~=6.112",
"moto~=5.0",
"pytest~=8.3",
"pytest-cov~=5.0",
"pytest-mock~=3.14",
]
Loading
Loading