Release Python SDK v17.0.0 by idimov-keeper · Pull Request #762 · Keeper-Security/secrets-manager

idimov-keeper · 2025-07-11T18:19:34Z

Bump up version to 17.0.0
KSM-566 - Added parsing for KSM tokens with prefix
KSM-628 - Added GraphSync links
KSM-631 - Added links2Remove parameter for files removal
KSM-635 - HTTPError should include response object
Fixed test for new hard-coded client version

* KSM 566 KSM Python SDK: Add parsing for ksm tokens with prefix (#679) * Bump up version to 16.6.7 * KSM-566 Added parsing for KSM tokens with prefix * Fixed test for new harcoded client version

* KSM-628 Added GraphSync links * Adjusted requestLinks in payload

Added tests

Added 533 changelog

Adding missing revision attribute to Record mock. It is consumed via kwarg for maximum compatibility

socket-security · 2025-08-29T20:04:04Z

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

* Merge Python SDK and Helper publishing pipelines with SBOM generation - Combined SDK and Helper publishing into single workflow - Added proper SBOM generation for both packages with all dependencies - Fixed version detection to use setup.py versions (17.0.0 for SDK, 1.0.6 for Helper) - Enhanced SBOM workflow to scan Python virtual environments for complete dependency detection - Commented out old Helper workflow with migration notice * Update .github/workflows/reusable.sbom.workflow.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.github/workflows/publish.pypi.sdk.yml

+    runs-on: ubuntu-latest
+    outputs:
+      sdk-version: ${{ steps.extract-sdk-version.outputs.version }}
+      helper-version: ${{ steps.extract-helper-version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Extract SDK version
+        id: extract-sdk-version
+        working-directory: ./sdk/python/core
+        run: |
+          VERSION=$(python3 setup.py --version 2>/dev/null || grep -Po 'version\s*=\s*["\x27]\K[^\x27"]*' setup.py)
+          echo "SDK Version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Extract Helper version
+        id: extract-helper-version
+        working-directory: ./sdk/python/helper
+        run: |
+          VERSION=$(python3 setup.py --version 2>/dev/null || grep -Po 'version\s*=\s*["\x27]\K[^\x27"]*' setup.py)
+          echo "Helper Version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+  # Generate and upload SBOM for SDK
+  generate-sdk-sbom:


To resolve the issue, you should explicitly declare the permissions: block at the root of the workflow. This will apply to all jobs unless they override it themselves. The minimal required permission for most jobs that only need to check out code is contents: read. Unless a job requires more (e.g., to create releases or modify issues/pull-requests), contents: read is sufficient and safe.

How to fix:

At the very top level of .github/workflows/publish.pypi.sdk.yml (below the name: field, and usually above or below the on: field), add:
permissions: contents: read

If later you discover some jobs need more, you can add a more specific permissions: block under that job.

What to change:

Only edit the workflow YAML as described, no additional methods, imports, or definitions are needed.

.github/workflows/publish.pypi.sdk.yml

+    needs: get-versions
+    uses: ./.github/workflows/reusable.sbom.workflow.yml
+    with:
+      working-directory: ./sdk/python/core
+      project-name: keeper-secrets-manager-python
+      project-type: python
+      project-version: ${{ needs.get-versions.outputs.sdk-version }}
+      sbom-format: spdx-json
+      additional-labels: ksm,sdk,python,security
+    secrets:
+      MANIFEST_TOKEN: ${{ secrets.MANIFEST_TOKEN }}
+
+  # Generate and upload SBOM for Helper
+  generate-helper-sbom:


To address the issue, we should add a permissions: block at the workflow root (so it applies to all jobs) with the minimum permissions required for these jobs. Given the actions performed, many jobs likely only require contents: read (for reading source code), while only those jobs that need to push, create releases, etc. would require elevated write permissions. Since the provided block does not show jobs requiring write actions, a minimal permissions: is sufficient. The fix is to insert, after the name: and on: blocks (before jobs:), a permissions: block such as:

permissions: contents: read

This limits GITHUB_TOKEN to read-only access to repository contents (source code, etc.), following least privilege principles. If additional permissions are later needed by specific jobs, they can override this at the job level.

Steps:

Insert a permissions: block after the name: and on: blocks, before jobs:.

Use the minimal set (contents: read).

.github/workflows/publish.pypi.sdk.yml

+    needs: get-versions
+    uses: ./.github/workflows/reusable.sbom.workflow.yml
+    with:
+      working-directory: ./sdk/python/helper
+      project-name: keeper-secrets-manager-helper
+      project-type: python
+      project-version: ${{ needs.get-versions.outputs.helper-version }}
+      sbom-format: spdx-json
+      additional-labels: ksm,helper,python,security
+    secrets:
+      MANIFEST_TOKEN: ${{ secrets.MANIFEST_TOKEN }}
+
+  # Publish SDK to PyPI
+  publish-sdk:


To fix this problem, the workflow file should have an explicit permissions key defined, either at the top (workflow-level, applies to all jobs unless they override) or on each job as required. Since most of these jobs are using basic tasks and do not appear to push or create content or releases, the minimum necessary is usually contents: read. This setting adheres to the principle of least privilege for most CI workflows.
How to fix:

Add the following block at the top (for root-level, applies to all jobs):
permissions: contents: read

Insert this block after the workflow name and on: section (i.e., before jobs:).

Implementation steps:

Edit .github/workflows/publish.pypi.sdk.yml.

Insert the above lines between lines 3 and 5 (after the last on: line, before jobs:).

No other changes are required unless further restrictions are desired for individual jobs.

idimov-keeper added 5 commits June 3, 2025 13:04

Release Python SDK v16.6.7 (#680)

0f5299a

* KSM 566 KSM Python SDK: Add parsing for ksm tokens with prefix (#679) * Bump up version to 16.6.7 * KSM-566 Added parsing for KSM tokens with prefix * Fixed test for new harcoded client version

Bump up version to 17.0.0

aaabf57

KSM-628 KSM Python SDK: Add Graph Sync links (#763)

b274ae9

* KSM-628 Added GraphSync links * Adjusted requestLinks in payload

KSM-631 Added links2Remove parameter for files removal (#764)

b001690

KSM-635 requests.HTTPError - include response object (#769)

268352a

idimov-keeper mentioned this pull request Jul 17, 2025

requests.HTTPError should include response object for compatibility with standard usage #750

Closed

idimov-keeper and others added 4 commits August 20, 2025 14:37

Update dtos.py

5edc2e3

Added proxy_url param and KSM_PROXY env var support (#788)

1f9d46c

Added tests

Updated README.md

1f9aa0f

Added 533 changelog

Update mock.py

a841456

Adding missing revision attribute to Record mock. It is consumed via kwarg for maximum compatibility

stas-schaller requested a review from maksimu August 28, 2025 02:35

idimov-keeper and others added 3 commits August 28, 2025 12:22

KSM-642 Fixed unexpected passkey entry (helper v1.0.6) (#798)

2ea2612

Removed KSM_PROXY support (#800)

1f239a7

Update README.md

caf8a76

maksimu had a problem deploying to prod August 30, 2025 05:40 — with GitHub Actions Error

github-advanced-security bot found potential problems Sep 2, 2025

View reviewed changes

stas-schaller had a problem deploying to prod September 3, 2025 22:07 — with GitHub Actions Error

maksimu previously approved these changes Sep 3, 2025

View reviewed changes

Merge branch 'master' into release/sdk/python/core/v17.0.0

1093d4b

maksimu dismissed their stale review via 1093d4b September 3, 2025 23:00

stas-schaller temporarily deployed to prod September 4, 2025 02:00 — with GitHub Actions Inactive

stas-schaller temporarily deployed to prod September 4, 2025 18:26 — with GitHub Actions Inactive

maksimu approved these changes Sep 4, 2025

View reviewed changes

maksimu merged commit a77304b into master Sep 4, 2025
38 of 43 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release Python SDK v17.0.0#762

Release Python SDK v17.0.0#762
maksimu merged 14 commits intomasterfrom
release/sdk/python/core/v17.0.0

idimov-keeper commented Jul 11, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Aug 29, 2025 •

edited

Loading

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Steps:

Check warning

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

@@ -1,4 +1,6 @@
             name: Publish to PyPI (Python SDK & Helper)
+            permissions:
+              contents: read
             on:
               workflow_dispatch:

Conversation

idimov-keeper commented Jul 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Aug 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Steps:

Check warning

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

idimov-keeper commented Jul 11, 2025 •

edited

Loading

socket-security bot commented Aug 29, 2025 •

edited

Loading