From 0f81c0d11039c33f2b9af3860baeee77b782a611 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Houpert?= <10154151+lhoupert@users.noreply.github.com> Date: Sat, 28 Mar 2026 01:35:36 +0000 Subject: [PATCH 1/2] fix: update existing comment for integration test in PR for new committs --- .github/scripts/validate_results.py | 6 ++++- .github/workflows/integration-tests.yml | 31 +++++++++++++++++++------ .gitignore | 3 +++ 3 files changed, 32 insertions(+), 8 deletions(-) create mode 100644 .gitignore diff --git a/.github/scripts/validate_results.py b/.github/scripts/validate_results.py index 3a46ef4..01ded1b 100644 --- a/.github/scripts/validate_results.py +++ b/.github/scripts/validate_results.py @@ -134,6 +134,10 @@ def validate_test( # --------------------------------------------------------------------------- +# Unique marker so the workflow can find & update this comment +COMMENT_MARKER = "" + + def generate_report( expected_results: dict, conclusions: dict[str, str], @@ -142,7 +146,7 @@ def generate_report( all_errors: dict[str, list[str]], ) -> str: """Generate a markdown report summarising validation results.""" - lines: list[str] = [] + lines: list[str] = [COMMENT_MARKER, ""] total_pass = sum(1 for errs in all_errors.values() if not errs) total_fail = sum(1 for errs in all_errors.values() if errs) total_missing = EXPECTED_COUNT - len(conclusions) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index f8ce719..e5ec701 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -143,7 +143,7 @@ jobs: NEEDS_JSON: ${{ toJSON(needs) }} run: python .github/scripts/validate_results.py - - name: Post PR comment + - name: Post or update PR comment if: always() env: GH_TOKEN: ${{ github.token }} @@ -152,9 +152,26 @@ jobs: echo "No report generated" >&2 exit 0 fi - # Try to update an existing comment, otherwise create a new one - gh pr comment "${{ github.event.pull_request.number }}" \ - --body-file validation-report.md \ - --edit-last 2>/dev/null || \ - gh pr comment "${{ github.event.pull_request.number }}" \ - --body-file validation-report.md + + MARKER="" + PR_NUMBER="${{ github.event.pull_request.number }}" + + # Find existing comment with our marker + COMMENT_ID=$( + gh api \ + "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \ + --paginate -q \ + ".[] | select(.body | contains(\"${MARKER}\")) | .id" \ + | head -n 1 + ) + + if [ -n "$COMMENT_ID" ]; then + gh api \ + "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \ + --method PATCH \ + -F "body=@validation-report.md" + echo "Updated existing comment ${COMMENT_ID}" + else + gh pr comment "${PR_NUMBER}" --body-file validation-report.md + echo "Created new comment" + fi diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5947688 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# Python +__pycache__/ +*.py[cod] From 80b28dc40034561b665037f0ce9c99e0adc19950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Houpert?= <10154151+lhoupert@users.noreply.github.com> Date: Sat, 28 Mar 2026 14:51:58 +0000 Subject: [PATCH 2/2] fix: fix 6 of 7 failing integration test validations Phase 1 - tests repo only (no action release needed): - validate_results.py: use rglob() to find pip-audit-report.json nested inside artifact subdirectory when working_directory != "." (LCA issue). Fixes artifact path nesting for tests 08, 13 and unblocks 05 once its pip-audit issue is resolved. - expected_results.yml: update bandit rule B303 -> B324 for tests 06 and 08. Bandit 1.8.6 reports hashlib.md5() as B324, not B303. - 11-requirements-root/requirements.txt: bump flask 3.1.1 -> 3.1.3 to fix new CVE that caused test 11 to block on a fixable vulnerability. Phase 2 - action release v0.4.3: - Pin all 14 test workflows to action v0.4.3 (SHA 6791db45b1aea51db705d38978ad62b855b34b32), which fixes the comma->space separator bug in resolve-targets and adds debug logging. --- .github/scripts/validate_results.py | 6 ++++++ .github/workflows/01-requirements-flat.yml | 2 +- .github/workflows/02-requirements-src-bandit.yml | 2 +- .github/workflows/03-requirements-multi-both.yml | 2 +- .github/workflows/04-uv-flat.yml | 2 +- .github/workflows/05-uv-src-vuln.yml | 2 +- .github/workflows/06-uv-multi-bandit.yml | 2 +- .github/workflows/07-poetry-flat.yml | 2 +- .github/workflows/08-poetry-src-both.yml | 2 +- .github/workflows/09-pipenv-flat.yml | 2 +- .github/workflows/10-pipenv-multi-bandit.yml | 2 +- .github/workflows/11-requirements-root.yml | 2 +- .github/workflows/12-uv-flat-bandit-only.yml | 2 +- .github/workflows/13-requirements-unfixable.yml | 2 +- .github/workflows/14-uv-low-threshold.yml | 2 +- .vscode/settings.json | 7 +++++++ 11-requirements-root/requirements.txt | 2 +- expected_results.yml | 4 ++-- 18 files changed, 30 insertions(+), 17 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.github/scripts/validate_results.py b/.github/scripts/validate_results.py index 42b871e..935a2bf 100644 --- a/.github/scripts/validate_results.py +++ b/.github/scripts/validate_results.py @@ -246,6 +246,12 @@ def main() -> int: pip_audit_path = artifact_dir / "pip-audit-report.json" if pip_audit_path.exists(): pip_audit_findings = parse_pip_audit(pip_audit_path) + else: + # Artifact upload uses least common ancestor, so the file may be nested + # e.g. artifacts/security-audit-08/08-poetry-src-both/pip-audit-report.json + nested = next(artifact_dir.rglob("pip-audit-report.json"), None) + if nested: + pip_audit_findings = parse_pip_audit(nested) all_bandit[num] = bandit_findings all_pip_audit[num] = pip_audit_findings diff --git a/.github/workflows/01-requirements-flat.yml b/.github/workflows/01-requirements-flat.yml index 0dae937..4cf1adb 100644 --- a/.github/workflows/01-requirements-flat.yml +++ b/.github/workflows/01-requirements-flat.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 01-requirements-flat package_manager: requirements diff --git a/.github/workflows/02-requirements-src-bandit.yml b/.github/workflows/02-requirements-src-bandit.yml index d46e48a..4f3cccf 100644 --- a/.github/workflows/02-requirements-src-bandit.yml +++ b/.github/workflows/02-requirements-src-bandit.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 02-requirements-src-bandit package_manager: requirements diff --git a/.github/workflows/03-requirements-multi-both.yml b/.github/workflows/03-requirements-multi-both.yml index 92283fc..c926521 100644 --- a/.github/workflows/03-requirements-multi-both.yml +++ b/.github/workflows/03-requirements-multi-both.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 03-requirements-multi-both package_manager: requirements diff --git a/.github/workflows/04-uv-flat.yml b/.github/workflows/04-uv-flat.yml index b3b42c2..48cd823 100644 --- a/.github/workflows/04-uv-flat.yml +++ b/.github/workflows/04-uv-flat.yml @@ -22,7 +22,7 @@ jobs: run: uv lock - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 04-uv-flat package_manager: uv diff --git a/.github/workflows/05-uv-src-vuln.yml b/.github/workflows/05-uv-src-vuln.yml index a616ecc..96c03e7 100644 --- a/.github/workflows/05-uv-src-vuln.yml +++ b/.github/workflows/05-uv-src-vuln.yml @@ -22,7 +22,7 @@ jobs: run: uv lock - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 05-uv-src-vuln package_manager: uv diff --git a/.github/workflows/06-uv-multi-bandit.yml b/.github/workflows/06-uv-multi-bandit.yml index 392b22b..e988fe6 100644 --- a/.github/workflows/06-uv-multi-bandit.yml +++ b/.github/workflows/06-uv-multi-bandit.yml @@ -22,7 +22,7 @@ jobs: run: uv lock - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 06-uv-multi-bandit package_manager: uv diff --git a/.github/workflows/07-poetry-flat.yml b/.github/workflows/07-poetry-flat.yml index 38f0059..667f5d3 100644 --- a/.github/workflows/07-poetry-flat.yml +++ b/.github/workflows/07-poetry-flat.yml @@ -22,7 +22,7 @@ jobs: run: poetry lock - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 07-poetry-flat package_manager: poetry diff --git a/.github/workflows/08-poetry-src-both.yml b/.github/workflows/08-poetry-src-both.yml index ac58efa..bbceb8a 100644 --- a/.github/workflows/08-poetry-src-both.yml +++ b/.github/workflows/08-poetry-src-both.yml @@ -22,7 +22,7 @@ jobs: run: poetry lock - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 08-poetry-src-both package_manager: poetry diff --git a/.github/workflows/09-pipenv-flat.yml b/.github/workflows/09-pipenv-flat.yml index 9410cb4..379ec64 100644 --- a/.github/workflows/09-pipenv-flat.yml +++ b/.github/workflows/09-pipenv-flat.yml @@ -27,7 +27,7 @@ jobs: run: pipenv install - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 09-pipenv-flat package_manager: pipenv diff --git a/.github/workflows/10-pipenv-multi-bandit.yml b/.github/workflows/10-pipenv-multi-bandit.yml index 6f4032d..3adf4f4 100644 --- a/.github/workflows/10-pipenv-multi-bandit.yml +++ b/.github/workflows/10-pipenv-multi-bandit.yml @@ -27,7 +27,7 @@ jobs: run: pipenv install - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 10-pipenv-multi-bandit package_manager: pipenv diff --git a/.github/workflows/11-requirements-root.yml b/.github/workflows/11-requirements-root.yml index d2fbaeb..df52a81 100644 --- a/.github/workflows/11-requirements-root.yml +++ b/.github/workflows/11-requirements-root.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: package_manager: requirements requirements_file: 11-requirements-root/requirements.txt diff --git a/.github/workflows/12-uv-flat-bandit-only.yml b/.github/workflows/12-uv-flat-bandit-only.yml index edad4b1..af2315b 100644 --- a/.github/workflows/12-uv-flat-bandit-only.yml +++ b/.github/workflows/12-uv-flat-bandit-only.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 12-uv-flat-bandit-only tools: bandit diff --git a/.github/workflows/13-requirements-unfixable.yml b/.github/workflows/13-requirements-unfixable.yml index 8f4f6ce..74b06d2 100644 --- a/.github/workflows/13-requirements-unfixable.yml +++ b/.github/workflows/13-requirements-unfixable.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 13-requirements-unfixable package_manager: requirements diff --git a/.github/workflows/14-uv-low-threshold.yml b/.github/workflows/14-uv-low-threshold.yml index bcaca43..fb4f21b 100644 --- a/.github/workflows/14-uv-low-threshold.yml +++ b/.github/workflows/14-uv-low-threshold.yml @@ -16,7 +16,7 @@ jobs: persist-credentials: false - name: Run security audit - uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2 + uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3 with: working_directory: 14-uv-low-threshold tools: bandit diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..eee338f --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,7 @@ +{ + "chat.tools.terminal.autoApprove": { + "uv": true, + "git push": true, + "gh": true + } +} \ No newline at end of file diff --git a/11-requirements-root/requirements.txt b/11-requirements-root/requirements.txt index fb5024f..e6365da 100644 --- a/11-requirements-root/requirements.txt +++ b/11-requirements-root/requirements.txt @@ -1 +1 @@ -flask==3.1.1 +flask==3.1.3 diff --git a/expected_results.yml b/expected_results.yml index 5258056..683e936 100644 --- a/expected_results.yml +++ b/expected_results.yml @@ -56,7 +56,7 @@ tests: bandit_findings: - rule_id: B506 level: warning - - rule_id: B303 + - rule_id: B324 level: warning pip_audit_findings: [] @@ -70,7 +70,7 @@ tests: name: "poetry · src/ · bandit MEDIUM + pip-audit" expected_conclusion: failure bandit_findings: - - rule_id: B303 + - rule_id: B324 level: warning - rule_id: B105 level: warning