Add OpenSSF Scorecards GitHub Action by pnacht · Pull Request #48570 · pandas-dev/pandas (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation12 Commits10 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Closes #48566

As per the linked issue, this PR adds the OpenSSF Scorecards GitHub Action, which automatically checks the repo's supply-chain security processes and reports results to the repo's Security dashboard.

I have also taken the liberty of adding a badge to the README.md displaying the project's score. This badge is strictly optional and can be easily removed, just say the word!

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general. Can you disable the workflow for forks, by adding a if: github.repository=="pandas-dev/pandas" somewhere?

Thanks.


steps:
- name: "Checkout code"
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious, could we just specify the tags instead of the commit hashes here (that's what we do for other actions)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenSSF recommends pinning to hashes instead of versions in order to protect against tag-renaming attacks (whereby an attacker hijacks an action, uploads a malicious version and replaces an existing tag with the malicious version). However, we're aware there are pros and cons to this approach, so if you prefer I can modify the workflow to use versions instead of hashes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we would prefer using the tags for consistency with other workflows. We can look into using hashes for all of our workflows in the future.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved?

@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved?

Can you merge main?

Yes, this should be quick to fix. Many apologies! I'll write a new PR with a fix in a few minutes.

@phofl Submitted the PR fixing this #48668. Truly sorry, my apologies!

phofl pushed a commit to phofl/pandas that referenced this pull request

Sep 22, 2022

Create scorecards.yml
Update scorecards.yml
Add OpenSSF Scorecards badge to README.md
Trim whitespace in scorecards.yml
Skip scorecards.yml on forks
Fix whitespace
Pin scorecards.yml dependencies to major versions

mroeschke added a commit that referenced this pull request

Sep 26, 2022

…8662)

BUG: Series.getitem not falling back to positional for bool index
Update pandas/tests/series/indexing/test_getitem.py

Co-authored-by: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

Fix build warning for use of strdup in ultrajson (#48369)
WEB: Update versions json to fix version switcher in the docs (#48655)
PERF: join/merge on subset of MultiIndex (#48611)
DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (#48631)
Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter
Add test case for date_range construction using datetime.timedelta
TYP: tighten Axis (#48612)
TYP: tighten Axis
allow 'rows'
BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (#48616)
Add finalize to df.corr and df.cov
Clean
TST: add test case for PeriodIndex in HDFStore(GH7796) (#48618)
TST: add test case for PeriodIndex in HDFStore
TST: add test case for PeriodIndex in HDFStore
use pytest.mark.parameterize instead
Add OpenSSF Scorecards GitHub Action (#48570)
Create scorecards.yml
Update scorecards.yml
Add OpenSSF Scorecards badge to README.md
Trim whitespace in scorecards.yml
Skip scorecards.yml on forks
Fix whitespace
Pin scorecards.yml dependencies to major versions
ENH: move an exception and add a prehook to check for exception place… (#48088)
ENH: move an exception and add a prehook to check for exception placement
ENH: fix import
ENH: revert moving error
ENH: add docstring and fix import for test
ENH: re-design approach based on feedback
ENH: update whatsnew rst
ENH: apply feedback changes
ENH: refactor to remove exception_warning_list and ignore _version.py
ENH: remove NotThisMethod from tests and all
REGR: TextIOWrapper raising an error in read_csv (#48651)
REGR: TextIOWrapper raising an error in read_csv
pyupgrade
do not try to seek on unseekable buffers
unseekable buffer might also have read ahead
safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens)
Fix scorecard.yml workflow (#48668)
Set scorecard-action to v2.0.3

scorecard-action does not have a major version tag.

Temporarily disabling github.repository check to ensure action now works.

Enable github.repository check
BUG: DatetimeIndex ignoring explicit tz=None (#48659)
BUG: DatetimeIndex ignoring explicit tz=None
GH ref
Corrected pd.merge indicator type hint (#48677)
Corrected pd.merge indicator type hint

https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string

Update merge.py

fixed type hint in merge.py

Update merge.py

Update indicator type hint in _MergeOperation

Update merge.py

Added type hint _MergeOperation init

DOC: Document default value for options.display.max_cols when not running in terminal (#48672)

DOC: Document default value for options.display.max_cols

display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook

ENH: DTA/TDA add datetimelike scalar with mismatched reso (#48669)
ENH: DTA/TDA add datetimelike scalar with mismatched reso
mypy fixup
REF: support reso in remaining tslibs helpers (#48661)
REF: support reso in remaining tslibs helpers
update setup.py
PERF: Avoid fragmentation of DataFrame in read_sas (#48603)
PERF: Avoid fragmentation of DataFrame in read_sas
Add whatsnew
Add warning
DOC: Add deprecation infos to deprecated functions (#48599)
DOC: Add deprecation infos to deprecated functions
Add sections
Fix
BLD: Build wheels using cibuildwheel (#48283)
BLD: Build wheels using cibuildwheel
update from code review

Co-Authored-By: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

fix 3.11 version
changes from code review
Update test_wheels.py
sync run time with pandas-wheels

Co-authored-by: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

REGR: Performance decrease in factorize (#48620)
TYP: type all arguments with str default values (#48508)
TYP: type all arguments with str default values
na_rep: back to str
na(t)_rep is always a string
add float for some functions
and the same for the few float default arguments
define a few more literal constants
avoid itertools.cycle mypy error
revert mistake
TST: Catch more pyarrow PerformanceWarnings (#48699)
REGR: to_hdf raising AssertionError with boolean index (#48696)
REGR: to_hdf raising AssertionError with boolean index
Add gh ref
REGR: Regression in DataFrame.loc when setting df with all True indexer (#48711)
BUG: pivot_table raising for nullable dtype and margins (#48714)
TST: Address MPL 3.6 deprecation warnings (#48695)
TST: Address MPL 3.6 deprecation warnings
Address min build
missing ()

noatamir pushed a commit to noatamir/pandas that referenced this pull request

Nov 9, 2022

Create scorecards.yml
Update scorecards.yml
Add OpenSSF Scorecards badge to README.md
Trim whitespace in scorecards.yml
Skip scorecards.yml on forks
Fix whitespace
Pin scorecards.yml dependencies to major versions

noatamir pushed a commit to noatamir/pandas that referenced this pull request

Nov 9, 2022

…ndas-dev#48662)

BUG: Series.getitem not falling back to positional for bool index
Update pandas/tests/series/indexing/test_getitem.py

Co-authored-by: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

Fix build warning for use of strdup in ultrajson (pandas-dev#48369)
WEB: Update versions json to fix version switcher in the docs (pandas-dev#48655)
PERF: join/merge on subset of MultiIndex (pandas-dev#48611)
DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (pandas-dev#48631)
Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter
Add test case for date_range construction using datetime.timedelta
TYP: tighten Axis (pandas-dev#48612)
TYP: tighten Axis
allow 'rows'
BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (pandas-dev#48616)
Add finalize to df.corr and df.cov
Clean
TST: add test case for PeriodIndex in HDFStore(GH7796) (pandas-dev#48618)
TST: add test case for PeriodIndex in HDFStore
TST: add test case for PeriodIndex in HDFStore
use pytest.mark.parameterize instead
Add OpenSSF Scorecards GitHub Action (pandas-dev#48570)
Create scorecards.yml
Update scorecards.yml
Add OpenSSF Scorecards badge to README.md
Trim whitespace in scorecards.yml
Skip scorecards.yml on forks
Fix whitespace
Pin scorecards.yml dependencies to major versions
ENH: move an exception and add a prehook to check for exception place… (pandas-dev#48088)
ENH: move an exception and add a prehook to check for exception placement
ENH: fix import
ENH: revert moving error
ENH: add docstring and fix import for test
ENH: re-design approach based on feedback
ENH: update whatsnew rst
ENH: apply feedback changes
ENH: refactor to remove exception_warning_list and ignore _version.py
ENH: remove NotThisMethod from tests and all
REGR: TextIOWrapper raising an error in read_csv (pandas-dev#48651)
REGR: TextIOWrapper raising an error in read_csv
pyupgrade
do not try to seek on unseekable buffers
unseekable buffer might also have read ahead
safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens)
Fix scorecard.yml workflow (pandas-dev#48668)
Set scorecard-action to v2.0.3

scorecard-action does not have a major version tag.

Temporarily disabling github.repository check to ensure action now works.

Enable github.repository check
BUG: DatetimeIndex ignoring explicit tz=None (pandas-dev#48659)
BUG: DatetimeIndex ignoring explicit tz=None
GH ref
Corrected pd.merge indicator type hint (pandas-dev#48677)
Corrected pd.merge indicator type hint

https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string

Update merge.py

fixed type hint in merge.py

Update merge.py

Update indicator type hint in _MergeOperation

Update merge.py

Added type hint _MergeOperation init

DOC: Document default value for options.display.max_cols when not running in terminal (pandas-dev#48672)

DOC: Document default value for options.display.max_cols

display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook

ENH: DTA/TDA add datetimelike scalar with mismatched reso (pandas-dev#48669)
ENH: DTA/TDA add datetimelike scalar with mismatched reso
mypy fixup
REF: support reso in remaining tslibs helpers (pandas-dev#48661)
REF: support reso in remaining tslibs helpers
update setup.py
PERF: Avoid fragmentation of DataFrame in read_sas (pandas-dev#48603)
PERF: Avoid fragmentation of DataFrame in read_sas
Add whatsnew
Add warning
DOC: Add deprecation infos to deprecated functions (pandas-dev#48599)
DOC: Add deprecation infos to deprecated functions
Add sections
Fix
BLD: Build wheels using cibuildwheel (pandas-dev#48283)
BLD: Build wheels using cibuildwheel
update from code review

Co-Authored-By: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

fix 3.11 version
changes from code review
Update test_wheels.py
sync run time with pandas-wheels

Co-authored-by: Matthew Roeschke 10647082+mroeschke@users.noreply.github.com

REGR: Performance decrease in factorize (pandas-dev#48620)
TYP: type all arguments with str default values (pandas-dev#48508)
TYP: type all arguments with str default values
na_rep: back to str
na(t)_rep is always a string
add float for some functions
and the same for the few float default arguments
define a few more literal constants
avoid itertools.cycle mypy error
revert mistake
TST: Catch more pyarrow PerformanceWarnings (pandas-dev#48699)
REGR: to_hdf raising AssertionError with boolean index (pandas-dev#48696)
REGR: to_hdf raising AssertionError with boolean index
Add gh ref
REGR: Regression in DataFrame.loc when setting df with all True indexer (pandas-dev#48711)
BUG: pivot_table raising for nullable dtype and margins (pandas-dev#48714)
TST: Address MPL 3.6 deprecation warnings (pandas-dev#48695)
TST: Address MPL 3.6 deprecation warnings
Address min build
missing ()

Labels

Continuous Integration