Release Candidate for next stable#551
Open
reactive-firewall wants to merge 39 commits intostablefrom
Open
Conversation
This work resolves GHI #375 Changes in file multicast/recv.py: * Documented private variables with _w_ prefix in the recv module docstrings.
* these changes are part of the review of PR #529 Changes in file multicast/recv.py: * minore rewording for technical accuracy.
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [reactive-firewall/shellcheck-scan](https://github.com/reactive-firewall/shellcheck-scan) from 1.2 to 2.2. - [Release notes](https://github.com/reactive-firewall/shellcheck-scan/releases) - [Commits](reactive-firewall/shellcheck-scan@ececa89...50ac9fb) --- updated-dependencies: - dependency-name: reactive-firewall/shellcheck-scan dependency-version: '2.2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e907b5...c793b71) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
[STYLE] Also update shellcheck-scan version comment (-WIP PR #535 -) Signed-off-by: Mr. Walls <reactive-firewall@users.noreply.github.com>
* This change is related to GHI #375
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...70fc10c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
… PR #536 -) Changes in file .github/actions/run-minimal-acceptance-tests/action.yml: * bump actions/upload-artifact to v7.0.0 Changes in file .github/actions/setup-py-reqs/action.yml: * bump actions/upload-artifact to v7.0.0 Changes in file .github/actions/test-reporter-upload/action.yml: * bump actions/upload-artifact to v7.0.0 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <support@github.com>
Changes in file .github/actions/checkout-and-rebuild/action.yml: * version bump actions/download-artifact to v8.0.0 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <support@github.com>
…igest mismatch (- WIP PR #537 -) Changes in file .github/actions/checkout-and-rebuild/action.yml: * configure to error on digest mismatch Changes in file .github/workflows/CI-CHGLOG.yml: * configure to error on digest mismatch Changes in file .github/workflows/CI-DOCS.yml: * configure to error on digest mismatch Changes in file .github/workflows/CI-MATs.yml: * configure to error on digest mismatch Changes in file .github/workflows/Tests.yml: * configure to error on digest mismatch
Changes in file .github/actions/checkout-and-rebuild/action.yml: * Version Bumps Changes in file .github/actions/run-minimal-acceptance-tests/action.yml: * Version Bumps Changes in file .github/actions/setup-py-reqs/action.yml: * Version Bumps Changes in file .github/actions/test-reporter-upload/action.yml: * Version Bumps Changes in file .github/workflows/CI-BUILD.yml: * Version Bumps Changes in file .github/workflows/CI-CHGLOG.yml: * Version Bumps Changes in file .github/workflows/CI-DOCS.yml: * Version Bumps Changes in file .github/workflows/CI-MATs.yml: * Version Bumps Changes in file .github/workflows/Tests.yml: * Version Bumps Changes in file .github/workflows/codeql-analysis.yml: * Version Bumps Changes in file .github/workflows/scorecard.yml: * Version Bumps Changes in file .github/workflows/shellcheck.yml: * Version Bumps Changes in file multicast/recv.py: * Improved documentation slightly
…#534 -) Changes in file .github/workflows/makefile-lint.yml: * Version bump setup-go to v6.3.0
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.2.0 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@96278af...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [reactive-firewall/shellcheck-scan](https://github.com/reactive-firewall/shellcheck-scan) from 2.2 to 2.3. - [Release notes](https://github.com/reactive-firewall/shellcheck-scan/releases) - [Commits](reactive-firewall/shellcheck-scan@50ac9fb...9e32395) --- updated-dependencies: - dependency-name: reactive-firewall/shellcheck-scan dependency-version: '2.3' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.5 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c793b71...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Changes in file .github/workflows/CI-BUILD.yml: * use actions/attest@59d8942 - 4.1.0 instead of wrapper
* These changes close PR #540 * These changes also close PR #541 * These changes also close PR #542 Changes in file .github/workflows/CI-BUILD.yml: * Migrated to just actions/attest v4.1.0 from attest-providence-build Changes in file .github/workflows/codeql-analysis.yml: * version bump code-ql to version 4.32.6 Changes in file .github/workflows/scorecard.yml: * version bump code-ql to version 4.32.6 Changes in file .github/workflows/shellcheck.yml: * version bump shellcheck-scan to version 2.3
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 8.0.0 to 8.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@70fc10c...3e5f45b) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.3 to 5.0.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.6 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@0d579ff...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
… PR #543 -) Changes in file .github/actions/checkout-and-rebuild/action.yml: * bump download-artifact to v8.0.1
…rtifact to v7.0.1 (- WIP PR #552 -) * This resolves the review of PR #552 Changes in file .github/actions/run-minimal-acceptance-tests/action.yml: * also update actions/upload-artifact to v7.0.1 Changes in file .github/actions/setup-py-reqs/action.yml: * also update actions/upload-artifact to v7.0.1 Changes in file .github/actions/test-reporter-upload/action.yml: * also update actions/upload-artifact to v7.0.1 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <support@github.com>
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/CI-BUILD.yml:
- Line 249: The workflow grants the broad "artifact-metadata: write" permission
which is only required when actions/attest@v4.1.0 is invoked with optional
features like push-to-registry or create-storage-record; remove the
"artifact-metadata: write" entry (the permission key "artifact-metadata") from
the permissions block in CI-BUILD.yml unless you actually enable those options
for actions/attest@v4.1.0, or, if needed, scope it conditionally to only the job
that runs actions/attest and ensure the attest step configuration includes
push-to-registry/create-storage-record when the permission is kept.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Repository UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 601ecfc1-4d31-495e-987d-efb85a58d493
📒 Files selected for processing (9)
.github/actions/run-minimal-acceptance-tests/action.yml.github/actions/setup-py-reqs/action.yml.github/actions/test-reporter-upload/action.yml.github/workflows/CI-BUILD.yml.github/workflows/CI-CHGLOG.yml.github/workflows/CI-DOCS.yml.github/workflows/CI-MATs.yml.github/workflows/Tests.yml.github/workflows/scorecard.yml
| id-token: write | ||
| contents: read | ||
| attestations: write | ||
| artifact-metadata: write |
Contributor
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🌐 Web query:
Does actions/attest@v4.1.0 require artifact-metadata write permission?
💡 Result:
No, actions/attest@v4.1.0 does not strictly require the artifact-metadata: write permission for core functionality (creating attestations). It requires id-token: write and attestations: write permissions. However, the artifact-metadata: write permission is required if you want to create an optional "artifact metadata storage record" (e.g., when using push-to-registry: true or create-storage-record: true). Without it, the action will warn but continue without creating the storage record.
Citations:
- 1: https://github.com/actions/attest
- 2: https://redirect.github.com/actions/attest
- 3: https://docs.github.com/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
- 4: https://github.com/actions/attest-build-provenance/blob/v3.2.0/README.md
The artifact-metadata: write permission is not strictly required for actions/attest@v4.1.0 core functionality.
This permission is only needed if the attest action is configured with optional features such as push-to-registry: true or create-storage-record: true. If these options are not explicitly used in your workflow configuration, consider removing this permission to follow the principle of least privilege.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/CI-BUILD.yml at line 249, The workflow grants the broad
"artifact-metadata: write" permission which is only required when
actions/attest@v4.1.0 is invoked with optional features like push-to-registry or
create-storage-record; remove the "artifact-metadata: write" entry (the
permission key "artifact-metadata") from the permissions block in CI-BUILD.yml
unless you actually enable those options for actions/attest@v4.1.0, or, if
needed, scope it conditionally to only the job that runs actions/attest and
ensure the attest step configuration includes
push-to-registry/create-storage-record when the permission is kept.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Patch Notes
Impacted GHI
Included and Superseded PR/MRs