Release #83
Release #83
Conversation
* record_type_info and load_record_types functions added * Moved functions to cli commands * Corrected review changes
…ands and YubiKey fix
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Publish Keeper CLI to PyPi | ||
| runs-on: ubuntu-latest | ||
| needs: [build-n-publish] | ||
| environment: prod | ||
|
|
||
| steps: | ||
| - uses: actions/download-artifact@v3 | ||
| with: | ||
| name: CommanderWheel | ||
| path: dist | ||
| name: KeeperCLIWheel | ||
| path: keepercli-package/dist | ||
|
|
||
| - name: Set up Python 3.10 | ||
| - name: Set up Python 3.11 | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.10' | ||
| architecture: 'x64' | ||
|
|
||
| - name: Retrieve secrets from Keeper | ||
| id: ksecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }} | ||
| secrets: | | ||
| gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD | ||
| python-version: '3.11' | ||
|
|
||
| - name: Publish to PyPi | ||
| - name: Publish keepercli to PyPi | ||
| env: | ||
| TWINE_USERNAME: __token__ | ||
| TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }} | ||
| TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }} | ||
| run: | | ||
| python -m pip install -U setuptools pip wheel twine | ||
| twine upload dist/* | ||
| twine upload -r pypi keepercli-package/dist/* |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this issue, we need to add a permissions block to the publish-pypi job in .github/workflows/publish-cli-to-pypi.yml, as was already done for the build-n-publish job. The recommended minimum starting point is to set contents: read, which allows the job to read repository contents but not write to it. This achieves the principle of least privilege and stops jobs from having unnecessary access. To implement this, add the block after the timeout-minutes/runs-on/needs/environment section but before steps: in the publish-pypi job.
| @@ -50,6 +50,8 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: [build-n-publish] | ||
| environment: prod | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - uses: actions/download-artifact@v3 |
| name: Publish to Production PyPI | ||
| runs-on: ubuntu-latest | ||
| needs: [build-wheel] | ||
| needs: [publish-test-pypi] | ||
| environment: prod | ||
|
|
||
| steps: | ||
| - uses: actions/download-artifact@v3 | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: CommanderWheel | ||
| path: dist | ||
|
|
||
| - name: Set up Python 3.10 | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.11' | ||
| name: KeeperSdkWheel | ||
| path: keepersdk-package/dist | ||
|
|
||
| - name: Retrieve secrets from Keeper | ||
| id: ksecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| - name: Set up Python 3.13 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }} | ||
| secrets: | | ||
| gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD | ||
| python-version: '3.13' | ||
|
|
||
| - name: Publish to PyPi | ||
| - name: Publish to PyPI | ||
| env: | ||
| TWINE_USERNAME: __token__ | ||
| TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }} | ||
| TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }} | ||
| run: | | ||
| python -m pip install -U setuptools pip wheel twine | ||
| twine upload dist/* | ||
| python -m pip install -U twine | ||
| twine upload keepersdk-package/dist/* |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
The best fix is to add an explicit permissions block to the publish-pypi job, limiting the permissions of the GITHUB_TOKEN. In this case, since the job does not appear to require any write access to the repository (it only uploads the built artifact to PyPI using secrets), the minimal contents: read permission is appropriate. This is already the setting used in the build-and-test job, so it should also be applied here for consistency and in accordance with the principle of least privilege.
Change needed:
In .github/workflows/publish-sdk.yml, add the following under the publish-pypi: job (aligned with other keys like runs-on and needs):
permissions:
contents: readNo additional methods, imports, or library dependencies are needed.
| @@ -69,6 +69,8 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: [publish-test-pypi] | ||
| environment: prod | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - uses: actions/download-artifact@v4 |
No description provided.