diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1d781a..30fb029 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,12 +22,14 @@ jobs: python-version: ["3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Poetry run: pipx install poetry==1.7.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }} cache: poetry diff --git a/.github/workflows/deploy_mkdocs.yml b/.github/workflows/deploy_mkdocs.yml index 576ff96..08d8301 100644 --- a/.github/workflows/deploy_mkdocs.yml +++ b/.github/workflows/deploy_mkdocs.yml @@ -5,22 +5,23 @@ on: push: branches: - main + - KEH-2326_zizmor_update permissions: contents: write jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Configure Git Credentials run: | git config user.name github-actions[bot] git config user.email 41898282+github-actions[bot]@users.noreply.github.com - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.x - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: key: mkdocs-material-${{ env.cache_id }} path: .cache diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml index 982a9ea..8a272f4 100644 --- a/.github/workflows/megalinter.yml +++ b/.github/workflows/megalinter.yml @@ -66,9 +66,10 @@ jobs: steps: # Git Checkout - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + persist-credentials: false # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to # improve performance @@ -85,8 +86,8 @@ jobs: # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/latest/flavors/ - # The below commit hash is v8.8.0 - uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 + # The below commit hash is v9.5.0 + uses: oxsecurity/megalinter@0e3ce9b9c8c10effb9b269509cc47ca17cae31c7 id: ml @@ -114,7 +115,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: success() || failure() with: name: MegaLinter reports @@ -158,9 +159,12 @@ jobs: github.event.pull_request.head.repo.full_name == github.repository ) && !contains(github.event.head_commit.message, 'skip fix') + env: + PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} + PR_URL: ${{ steps.cpr.outputs.pull-request-url }} run: | - echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" - echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" + echo "PR Number - $PR_NUMBER" + echo "PR URL - $PR_URL" # Push new commit if applicable # (for now works only on PR from same repository, not from forks) diff --git a/.mega-linter.yml b/.mega-linter.yml index 90c5269..b0c1c37 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -9,6 +9,9 @@ APPLY_FIXES: all FORMATTERS_DISABLE_ERRORS: false +ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: + - GITHUB_TOKEN + # If you use ENABLE variable, all other languages/formats/tooling-formats will # be disabled by default # ENABLE: diff --git a/README.md b/README.md index f6f85f8..1b80622 100644 --- a/README.md +++ b/README.md @@ -97,37 +97,37 @@ To run the Lambda function outside of a container, we need to execute the `handl 2. Sign in with AWS SSO, and export the correct profile for this service: - ```bash - aws sso login + ```bash + aws sso login - export AWS_PROFILE=github-copilot-usage-lambda - ``` + export AWS_PROFILE=github-copilot-usage-lambda + ``` - This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile. + This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile. - **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. + **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. 3. Export the required environment variables: - ```bash - export AWS_DEFAULT_REGION=eu-west-2 - export AWS_SECRET_NAME= - export AWS_ACCOUNT_NAME= - export GITHUB_ORG=ONSDigital - export GITHUB_APP_CLIENT_ID= - ``` + ```bash + export AWS_DEFAULT_REGION=eu-west-2 + export AWS_SECRET_NAME= + export AWS_ACCOUNT_NAME= + export GITHUB_ORG=ONSDigital + export GITHUB_APP_CLIENT_ID= + ``` 4. Run the script. - ```bash - python3 src/main.py - ``` + ```bash + python3 src/main.py + ``` 5. To exit the profile: - ```bash - unset AWS_PROFILE - ``` + ```bash + unset AWS_PROFILE + ``` ### Running in a container diff --git a/concourse/scripts/terraform_infra.sh b/concourse/scripts/terraform_infra.sh index 16c1a17..b3f65ff 100644 --- a/concourse/scripts/terraform_infra.sh +++ b/concourse/scripts/terraform_infra.sh @@ -22,6 +22,7 @@ github_org=$(echo "$secrets" | jq -r .github_org) export AWS_ACCESS_KEY_ID="$aws_access_key_id" export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key" +# kingfisher:ignore git config --global url."https://x-access-token:$github_access_token@github.com/".insteadOf "https://github.com/" if [ "${env}" != "prod" ]; then diff --git a/mkdocs.yml b/mkdocs.yml index aa283ec..7393734 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -7,7 +7,9 @@ repo_name: GitHub Copilot Usage Lambda nav: - Home: "index.md" - Documentation: "documentation.md" - - Team Usage: "team_usage.md" + - Technical Documentation: + - Overview: "technical_documentation/overview.md" + - Configuration: "technical_documentation/configuration.md" theme: name: material language: en diff --git a/poetry.lock b/poetry.lock index f5935d0..40d83c1 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand. [[package]] name = "astroid" @@ -375,7 +375,7 @@ files = [ {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, ] -markers = {dev = "platform_system == \"Windows\" or sys_platform == \"win32\""} +markers = {dev = "sys_platform == \"win32\" or platform_system == \"Windows\""} [[package]] name = "coverage" @@ -616,19 +616,19 @@ reference = "v2.0.3" resolved_reference = "101a7fd5c2239ba8b18b5f5bc7bbd70f804fe43f" [[package]] -name = "griffe" -version = "1.9.0" +name = "griffelib" +version = "2.0.2" description = "Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API." optional = false -python-versions = ">=3.9" +python-versions = ">=3.10" groups = ["docs"] files = [ - {file = "griffe-1.9.0-py3-none-any.whl", hash = "sha256:bcf90ee3ad42bbae70a2a490c782fc8e443de9b84aa089d857c278a4e23215fc"}, - {file = "griffe-1.9.0.tar.gz", hash = "sha256:b5531cf45e9b73f0842c2121cc4d4bcbb98a55475e191fc9830e7aef87a920a0"}, + {file = "griffelib-2.0.2-py3-none-any.whl", hash = "sha256:925c857658fb1ba40c0772c37acbc2ab650bd794d9c1b9726922e36ea4117ea1"}, + {file = "griffelib-2.0.2.tar.gz", hash = "sha256:3cf20b3bc470e83763ffbf236e0076b1211bac1bc67de13daf494640f2de707e"}, ] -[package.dependencies] -colorama = ">=0.4" +[package.extras] +pypi = ["pip (>=24.0)", "platformdirs (>=4.2)", "wheel (>=0.42)"] [[package]] name = "idna" @@ -900,33 +900,33 @@ pyyaml = ">=5.1" [[package]] name = "mkdocs-material" -version = "9.6.16" +version = "9.7.6" description = "Documentation that simply works" optional = false python-versions = ">=3.8" groups = ["docs"] files = [ - {file = "mkdocs_material-9.6.16-py3-none-any.whl", hash = "sha256:8d1a1282b892fe1fdf77bfeb08c485ba3909dd743c9ba69a19a40f637c6ec18c"}, - {file = "mkdocs_material-9.6.16.tar.gz", hash = "sha256:d07011df4a5c02ee0877496d9f1bfc986cfb93d964799b032dd99fe34c0e9d19"}, + {file = "mkdocs_material-9.7.6-py3-none-any.whl", hash = "sha256:71b84353921b8ea1ba84fe11c50912cc512da8fe0881038fcc9a0761c0e635ba"}, + {file = "mkdocs_material-9.7.6.tar.gz", hash = "sha256:00bdde50574f776d328b1862fe65daeaf581ec309bd150f7bff345a098c64a69"}, ] [package.dependencies] -babel = ">=2.10,<3.0" -backrefs = ">=5.7.post1,<6.0" -colorama = ">=0.4,<1.0" -jinja2 = ">=3.1,<4.0" -markdown = ">=3.2,<4.0" -mkdocs = ">=1.6,<2.0" -mkdocs-material-extensions = ">=1.3,<2.0" -paginate = ">=0.5,<1.0" -pygments = ">=2.16,<3.0" -pymdown-extensions = ">=10.2,<11.0" -requests = ">=2.26,<3.0" +babel = ">=2.10" +backrefs = ">=5.7.post1" +colorama = ">=0.4" +jinja2 = ">=3.1" +markdown = ">=3.2" +mkdocs = ">=1.6,<2" +mkdocs-material-extensions = ">=1.3" +paginate = ">=0.5" +pygments = ">=2.16" +pymdown-extensions = ">=10.2" +requests = ">=2.30" [package.extras] -git = ["mkdocs-git-committers-plugin-2 (>=1.1,<3)", "mkdocs-git-revision-date-localized-plugin (>=1.2.4,<2.0)"] -imaging = ["cairosvg (>=2.6,<3.0)", "pillow (>=10.2,<11.0)"] -recommended = ["mkdocs-minify-plugin (>=0.7,<1.0)", "mkdocs-redirects (>=1.2,<2.0)", "mkdocs-rss-plugin (>=1.6,<2.0)"] +git = ["mkdocs-git-committers-plugin-2 (>=1.1)", "mkdocs-git-revision-date-localized-plugin (>=1.2.4)"] +imaging = ["cairosvg (>=2.6)", "pillow (>=10.2)"] +recommended = ["mkdocs-minify-plugin (>=0.7)", "mkdocs-redirects (>=1.2)", "mkdocs-rss-plugin (>=1.6)"] [[package]] name = "mkdocs-material-extensions" @@ -967,20 +967,20 @@ python-legacy = ["mkdocstrings-python-legacy (>=0.2.1)"] [[package]] name = "mkdocstrings-python" -version = "1.16.12" +version = "2.0.4" description = "A Python handler for mkdocstrings." optional = false -python-versions = ">=3.9" +python-versions = ">=3.10" groups = ["docs"] files = [ - {file = "mkdocstrings_python-1.16.12-py3-none-any.whl", hash = "sha256:22ded3a63b3d823d57457a70ff9860d5a4de9e8b1e482876fc9baabaf6f5f374"}, - {file = "mkdocstrings_python-1.16.12.tar.gz", hash = "sha256:9b9eaa066e0024342d433e332a41095c4e429937024945fea511afe58f63175d"}, + {file = "mkdocstrings_python-2.0.4-py3-none-any.whl", hash = "sha256:fd87c173e1e719a85997b6d4f852cdc55f36710e0ed08da3a7bd9abe79c9db00"}, + {file = "mkdocstrings_python-2.0.4.tar.gz", hash = "sha256:58c73c5d358e64e9b1673447663f4a2f8a8941e392e225fc0a0c893758cc452f"}, ] [package.dependencies] -griffe = ">=1.6.2" +griffelib = ">=2.0" mkdocs-autorefs = ">=1.4" -mkdocstrings = ">=0.28.3" +mkdocstrings = ">=0.30" [[package]] name = "mypy" @@ -1206,20 +1206,20 @@ extra = ["pygments (>=2.19.1)"] [[package]] name = "pytest" -version = "8.4.1" +version = "9.0.3" description = "pytest: simple powerful testing with Python" optional = false -python-versions = ">=3.9" +python-versions = ">=3.10" groups = ["dev"] files = [ - {file = "pytest-8.4.1-py3-none-any.whl", hash = "sha256:539c70ba6fcead8e78eebbf1115e8b589e7565830d7d006a8723f19ac8a0afb7"}, - {file = "pytest-8.4.1.tar.gz", hash = "sha256:7c67fd69174877359ed9371ec3af8a3d2b04741818c51e5e99cc1742251fa93c"}, + {file = "pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9"}, + {file = "pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c"}, ] [package.dependencies] colorama = {version = ">=0.4", markers = "sys_platform == \"win32\""} -iniconfig = ">=1" -packaging = ">=20" +iniconfig = ">=1.0.1" +packaging = ">=22" pluggy = ">=1.5,<2" pygments = ">=2.7.2" @@ -1478,10 +1478,10 @@ files = [ ] [package.dependencies] -botocore = ">=1.37.4,<2.0a.0" +botocore = ">=1.37.4,<2.0a0" [package.extras] -crt = ["botocore[crt] (>=1.37.4,<2.0a.0)"] +crt = ["botocore[crt] (>=1.37.4,<2.0a0)"] [[package]] name = "six" @@ -1583,4 +1583,4 @@ watchmedo = ["PyYAML (>=3.10)"] [metadata] lock-version = "2.1" python-versions = "^3.12" -content-hash = "5bbd1d6c060d9ff356b8dba9c0442af3649e586b4a26c824f12b697b38c9eb95" +content-hash = "a952fe8e15ce2b0b33fd79336c5ccb06a50bb8114c1178d8232987c495fda0e4" diff --git a/pyproject.toml b/pyproject.toml index 49ac984..7028389 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -28,15 +28,15 @@ urllib3 = "^2.7.0" ruff = "^0.6.5" pylint = "^3.2.7" mypy = "^1.11.2" -pytest = "^8.4.1" +pytest = "^9.0.3" pytest-cov = "^6.2.1" pytest-xdist = "^3.8.0" black = "^26.3.1" [tool.poetry.group.docs.dependencies] mkdocs = "^1.6.0" -mkdocs-material = "^9.5.29" -mkdocstrings-python = "^1.16.12" +mkdocs-material = "^9.7.6" +mkdocstrings-python = "^2.0.4" [build-system] requires = ["poetry-core"]